[FFmpeg-cvslog] Additional checks to prevent overread.
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Fri Nov 30 20:09:52 CET 2012
On Fri, Nov 30, 2012 at 03:59:47PM +0100, Vitaliy E Sugrobov wrote:
> @@ -332,6 +350,10 @@ static int gif_read_extension(GifState *s)
> /* NOTE: many extension blocks can come after */
> discard_ext:
> while (ext_len != 0) {
> + /* There must be at least ext_len bytes and 1 for next block size byte. */
> + if (s->bytestream_end < s->bytestream + ext_len + 1)
> + return AVERROR_INVALIDDATA;
The other checks are less critical, but these checks are all wrong.
The addition s->bytestream + <some unvalidated length> can overflow.
They must be written as
if (ext_len + 1 > s->bytestream_end - s->bytestream)
or better (if you cannot assume that ext_len + 1 does not overflow)
if (ext_len > s->bytestream_end - s->bytestream - 1)
More information about the ffmpeg-cvslog
mailing list