From 93690bfdd65247709247d8d6e32f07111320ca14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim.muller@collabora.co.uk>
Date: Fri, 31 Jul 2009 20:25:17 +0100
Subject: [PATCH] flvmux: fix invalid write caused by using sizeof("string") as
 length

sizeof("foo") includes the string's NUL-terminator in the size returned,
but we're writing strings here with an explicit size at the beginning
and no NUL-terminator. In most cases using sizeof("foo") as length in
memcpy is not harmful, but it is where the string goes right at the
end of our buffer to write, since we don't allocate space for that
NUL terminator.
---
 gst/flv/gstflvmux.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/gst/flv/gstflvmux.c b/gst/flv/gstflvmux.c
index 2b5caccf55..ab385f0ef9 100644
--- a/gst/flv/gstflvmux.c
+++ b/gst/flv/gstflvmux.c
@@ -600,8 +600,8 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
   data = GST_BUFFER_DATA (tmp);
   data[0] = 2;                  /* string */
   data[1] = 0;
-  data[2] = 0x0a;               /* length 10 */
-  memcpy (&data[3], "onMetaData", sizeof ("onMetaData"));
+  data[2] = 10;                 /* length 10 */
+  memcpy (&data[3], "onMetaData", 10);
 
   script_tag = gst_buffer_join (script_tag, tmp);
 
@@ -682,7 +682,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
     data = GST_BUFFER_DATA (tmp);
     data[0] = 0;                /* 8 bytes name */
     data[1] = 8;
-    memcpy (&data[2], "duration", sizeof ("duration"));
+    memcpy (&data[2], "duration", 8);
     data[10] = 0;               /* double */
     GST_WRITE_DOUBLE_BE (data + 11, d);
     script_tag = gst_buffer_join (script_tag, tmp);
@@ -713,7 +713,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
         data = GST_BUFFER_DATA (tmp);
         data[0] = 0;            /* 12 bytes name */
         data[1] = 12;
-        memcpy (&data[2], "AspectRatioX", sizeof ("AspectRatioX"));
+        memcpy (&data[2], "AspectRatioX", 12);
         data[14] = 0;           /* double */
         GST_WRITE_DOUBLE_BE (data + 15, d);
         script_tag = gst_buffer_join (script_tag, tmp);
@@ -724,7 +724,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
         data = GST_BUFFER_DATA (tmp);
         data[0] = 0;            /* 12 bytes name */
         data[1] = 12;
-        memcpy (&data[2], "AspectRatioY", sizeof ("AspectRatioY"));
+        memcpy (&data[2], "AspectRatioY", 12);
         data[14] = 0;           /* double */
         GST_WRITE_DOUBLE_BE (data + 15, d);
         script_tag = gst_buffer_join (script_tag, tmp);
@@ -740,7 +740,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
     data = GST_BUFFER_DATA (tmp);
     data[0] = 0;                /* 15 bytes name */
     data[1] = 15;
-    memcpy (&data[2], "metadatacreator", sizeof ("metadatacreator"));
+    memcpy (&data[2], "metadatacreator", 15);
     data[17] = 2;               /* string */
     data[18] = (strlen (s) >> 8) & 0xff;
     data[19] = (strlen (s)) & 0xff;
@@ -775,7 +775,7 @@ gst_flv_mux_write_metadata (GstFlvMux * mux)
     data = GST_BUFFER_DATA (tmp);
     data[0] = 0;                /* 12 bytes name */
     data[1] = 12;
-    memcpy (&data[2], "creationdate", sizeof ("creationdate"));
+    memcpy (&data[2], "creationdate", 12);
     data[14] = 2;               /* string */
     data[15] = (strlen (s) >> 8) & 0xff;
     data[16] = (strlen (s)) & 0xff;
@@ -1019,7 +1019,7 @@ gst_flv_mux_write_index (GstFlvMux * mux)
   data[0] = 2;                  /* string */
   data[1] = 0;
   data[2] = 0x0a;               /* length 10 */
-  memcpy (&data[3], "onMetaData", sizeof ("onMetaData"));
+  memcpy (&data[3], "onMetaData", 10);
 
   script_tag = gst_buffer_join (script_tag, tmp);