From 8e082b78c22d3cdf5fe4a221af6f08afba5e21a7 Mon Sep 17 00:00:00 2001 From: "Wang, Shaofei" Date: Thu, 21 Mar 2019 18:20:08 -0400 Subject: [PATCH] fixed buffer overflow issue in iemetadata Change-Id: I4a1b2dd88f9148304b5baf45ea333802d7c2bdb9 --- libavformat/iemetadataenc.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libavformat/iemetadataenc.c b/libavformat/iemetadataenc.c index 8249277..4db198d 100644 --- a/libavformat/iemetadataenc.c +++ b/libavformat/iemetadataenc.c @@ -34,9 +34,10 @@ #define JSON_FVALUE(str, name, value) sprintf(str, "\"%s\": %.1f,\n", name, value) #define JSON_IVALUE(str, name, value) sprintf(str, "\"%s\": %d,\n", name, value) #define JSON_LIVALUE(str, name, value) sprintf(str, "\"%s\": %ld,\n", name, value) -#define JSON_STRING(str, name, value) sprintf(str, "\"%s\": \"%s\",\n", name, value) +#define JSON_STRING(str, name, value) snprintf(str, TMP_STR_BUF_SIZE, "\"%s\": \"%s\",\n", name, value) #define BUFFER_SIZE (1024 * 1024) +#define TMP_STR_BUF_SIZE 4096 typedef struct IeMetaDataMuxer { const AVClass *class; @@ -90,7 +91,7 @@ static int pack(AVFormatContext *s, const char *org, ...) { va_list argp; int i, len; - char tmp_str[80]; + char tmp_str[TMP_STR_BUF_SIZE]; const char *p = org; char *name, *str; int ipara; @@ -121,13 +122,13 @@ static int pack(AVFormatContext *s, const char *org, ...) break; case '[': //group head str = va_arg(argp, char*); - sprintf(tmp_str, "\"%s\": [\n", str); + snprintf(tmp_str, TMP_STR_BUF_SIZE, "\"%s\": [\n", str); fill_line(s, tmp_str, md->current_escape_num, 0); ++md->current_escape_num; break; case '(': //element head str = va_arg(argp, char*); - sprintf(tmp_str, "\"%s\": {\n", str); + snprintf(tmp_str, TMP_STR_BUF_SIZE, "\"%s\": {\n", str); fill_line(s, tmp_str, md->current_escape_num, 0); ++md->current_escape_num; break; @@ -207,13 +208,13 @@ static int write_trailer(AVFormatContext *s) static int jhead_write(AVFormatContext *s, AVFrame *frm_data) { - char tmp_str[80]; + char tmp_str[TMP_STR_BUF_SIZE]; IeMetaDataMuxer *md = s->priv_data; long nano_ts = s->streams[0] ? av_q2d(s->streams[0]->time_base) * frm_data->pts * 1000000000 : -1; - sprintf(tmp_str, "\"resolution\":{\"width\":%d,\"height\":%d},\n", + snprintf(tmp_str, TMP_STR_BUF_SIZE, "\"resolution\":{\"width\":%d,\"height\":%d},\n", frm_data->width, frm_data->height); pack(s, "{IsS", "timestamp", nano_ts, "source", md->source, @@ -234,7 +235,7 @@ static int jhead_write(AVFormatContext *s, AVFrame *frm_data) if (token == NULL) break; sscanf(token, "%127[^:]:%f", key, &value); - offset += sprintf(tmp_str + offset, "\"%s\":%1.3f,", key, value); + offset += snprintf(tmp_str + offset, TMP_STR_BUF_SIZE - offset, "\"%s\":%1.3f,", key, value); } sprintf(tmp_str + offset - 2, "},\n"); } @@ -256,7 +257,7 @@ static int jtail_write(AVFormatContext *s) static int write_packet(AVFormatContext *s, AVPacket *pkt) { int i, j, head_written = 0; - char tmp_str[80]; + char tmp_str[TMP_STR_BUF_SIZE]; AVFrame *frm_data = (AVFrame *)pkt->data; AVFrameSideData *sd; InferDetectionMeta *meta; @@ -287,7 +288,7 @@ static int write_packet(AVFormatContext *s, AVPacket *pkt) } else { int label_id = bboxes->bbox[i]->label_id; LabelsArray *array = (LabelsArray*)(bboxes->bbox[i]->label_buf->data); - sprintf(tmp_str, "%s", array->label[label_id]); + snprintf(tmp_str, TMP_STR_BUF_SIZE, "%s", array->label[label_id]); } pack(s, "{((ffff),isifS),", -- 2.7.4