[FFmpeg-cvslog] rtpdec_asf: Fix integer underflow that could allow remote code execution

Michael Niedermayer git at videolan.org
Mon Jun 4 13:13:42 CEST 2012


ffmpeg | branch: release/0.7 | Michael Niedermayer <michaelni at gmx.at> | Wed Sep  7 14:12:42 2011 +0200| [b15e85d8207bf644e5fc8837b4fad2ae3f33d021] | committer: Reinhard Tartler

rtpdec_asf: Fix integer underflow that could allow remote code execution

Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit:  Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
Signed-off-by: Martin Storsjö <martin at martin.st>
(cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b15e85d8207bf644e5fc8837b4fad2ae3f33d021
---

 libavformat/rtpdec_asf.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index 287025f..9d8c87b 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
 
                 int cur_len = start_off + len_off - off;
                 int prev_len = out_len;
+                void *newmem;
                 out_len += cur_len;
-                asf->buf = av_realloc(asf->buf, out_len);
+                if (FFMIN(cur_len, len - off) < 0)
+                    return -1;
+                newmem = av_realloc(asf->buf, out_len);
+                if (!newmem)
+                    return -1;
+                asf->buf = newmem;
                 memcpy(asf->buf + prev_len, buf + off,
                        FFMIN(cur_len, len - off));
                 avio_skip(pb, cur_len);



More information about the ffmpeg-cvslog mailing list