The earlier version didn't really check that the 'p' of a "p\0" is actually part of a user_data section, instead it treated the first "p\0" after the start of a user_data section as end of a user_data section if it is close enough to the beginning of the user_data section; it actually needn't be part of a user_data section at all.
Furthermore, the code worked under the assumption that there is a 0x00 after the 'p' although this might not be true for extradata if the user_data unit is at the end of the extradata. Both of these flaws have been fixed. Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@googlemail.com> --- The earlier version was inspired by the check for packed bitstreams in decode_user_data() in mpeg4videodec.c where the "DivX" is mandatory, too. Note that this new version relies on there being no binary zero inside the user data. libavcodec/mpeg4_unpack_bframes_bsf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/mpeg4_unpack_bframes_bsf.c b/libavcodec/mpeg4_unpack_bframes_bsf.c index 1daf133ce5..37bb0b20e3 100644 --- a/libavcodec/mpeg4_unpack_bframes_bsf.c +++ b/libavcodec/mpeg4_unpack_bframes_bsf.c @@ -41,11 +41,12 @@ static void scan_buffer(const uint8_t *buf, int buf_size, if (startcode == USER_DATA_STARTCODE && pos_p) { /* check if the (DivX) userdata string ends with 'p' (packed) */ - for (int i = 0; i < 255 && pos + i + 1 < end; i++) { - if (pos[i] == 'p' && pos[i + 1] == '\0') { + for (int i = 0; i < 255 && pos + i < end; i++) { + if (pos[i] == 'p' && (pos + i + 1 == end || pos[i + 1] == '\0')) { *pos_p = pos + i - buf; break; - } + } else if (pos[i] == 0) + break; } } else if (startcode == VOP_STARTCODE && nb_vop) { *nb_vop += 1; -- 2.19.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel