avformat/mpegts: Shuffle avio_seek

This avoids accessing an old, no longer valid buffer. Fixes: out of array access Fixes: crash_audio-2020 Found-by: le wu <shoulewoba@gmail.com> Reviewed-by: Marton Balint <cus@passwd.hu> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit cd74af14162c803f18e90bb12b52135e893d990c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-05-07 13:38:26 +0300
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-05-19 18:17:36 +0300
commit: b0b8ce0002402b4f4c0a785b6d9380e1f786a5e0 (patch)
tree: 2e7d7331eca326d9afbdc4ad85d68d2fa793f390 /libavformat/mpegts.c
parent: 36786f54e788cdfd24e11a45d8bd5690ec37e82a (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 64dc2b5233..6f99904cbf 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -2765,15 +2765,16 @@ static int mpegts_resync(AVFormatContext *s, int seekback, const uint8_t *curren
     AVIOContext *pb = s->pb;
     int c, i;
     uint64_t pos = avio_tell(pb);
-
-    avio_seek(pb, -FFMIN(seekback, pos), SEEK_CUR);
+    int64_t back = FFMIN(seekback, pos);
 
     //Special case for files like 01c56b0dc1.ts
     if (current_packet[0] == 0x80 && current_packet[12] == 0x47) {
-        avio_seek(pb, 12, SEEK_CUR);
+        avio_seek(pb, 12 - back, SEEK_CUR);
         return 0;
     }
 
+    avio_seek(pb, -back, SEEK_CUR);
+
     for (i = 0; i < ts->resync_size; i++) {
         c = avio_r8(pb);
         if (avio_feof(pb))
author	Michael Niedermayer <michael@niedermayer.cc>	2020-05-07 13:38:26 +0300
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-05-19 18:17:36 +0300
commit	b0b8ce0002402b4f4c0a785b6d9380e1f786a5e0 (patch)
tree	2e7d7331eca326d9afbdc4ad85d68d2fa793f390 /libavformat/mpegts.c
parent	36786f54e788cdfd24e11a45d8bd5690ec37e82a (diff)