[FFmpeg-cvslog] rtp: Fix integer underflow that could allow remote code execution.

Michael Niedermayer git at videolan.org
Wed Sep 7 15:16:25 CEST 2011


ffmpeg | branch: release/0.7 | Michael Niedermayer <michaelni at gmx.at> | Wed Sep  7 14:12:42 2011 +0200| [c2a2ad133eb9d42361804a568dee336992349a5e] | committer: Michael Niedermayer

rtp: Fix integer underflow that could allow remote code execution.

Fixes MSVR-11-0088
Credit:  Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit ba9a7e0d71bd34f8b89ae99322b62a310be163a6)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2a2ad133eb9d42361804a568dee336992349a5e
---

 libavformat/rtpdec_asf.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index 4f77645..384aeb2 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -235,6 +235,8 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
                 int prev_len = out_len;
                 out_len += cur_len;
                 asf->buf = av_realloc(asf->buf, out_len);
+                if(!asf->buf || FFMIN(cur_len, len - off)<0)
+                    return -1;
                 memcpy(asf->buf + prev_len, buf + off,
                        FFMIN(cur_len, len - off));
                 avio_skip(pb, cur_len);



More information about the ffmpeg-cvslog mailing list