[FFmpeg-cvslog] flac_picture: prevent a possible out of bound write

Vittorio Giovara git at videolan.org
Sat Oct 25 04:15:15 CEST 2014 

ffmpeg | branch: master | Vittorio Giovara <vittorio.giovara at gmail.com> | Mon Oct 20 14:11:21 2014 +0100| [0b66fb4505e0bb43de3797f63f3290f0188d67cc] | committer: Vittorio Giovara

flac_picture: prevent a possible out of bound write

At "mimetype[len] = 0;" mimetype is a 64 element array and len might be
equal to or greater than that.

CC: libav-stable at libav.org
Bug-Id: CID 1061055

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0b66fb4505e0bb43de3797f63f3290f0188d67cc
---

 libavformat/flac_picture.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavformat/flac_picture.c b/libavformat/flac_picture.c
index 69d2724..a6b5537 100644
--- a/libavformat/flac_picture.c
+++ b/libavformat/flac_picture.c
@@ -31,8 +31,8 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
     uint8_t mimetype[64], *desc = NULL;
     AVIOContext *pb = NULL;
     AVStream *st;
-    int type, width, height;
-    int len, ret = 0;
+    int width, height, ret = 0;
+    unsigned int type, len;
 
     pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL);
     if (!pb)
@@ -40,7 +40,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
 
     /* read the picture type */
     type = avio_rb32(pb);
-    if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types) || type < 0) {
+    if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
         av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
         if (s->error_recognition & AV_EF_EXPLODE) {
             ret = AVERROR_INVALIDDATA;
@@ -51,7 +51,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
 
     /* picture mimetype */
     len = avio_rb32(pb);
-    if (len <= 0 ||
+    if (!len || len >= 64 ||
         avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) {
         av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
                "picture.\n");
@@ -100,7 +100,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
 
     /* picture data */
     len = avio_rb32(pb);
-    if (len <= 0) {
+    if (!len) {
         av_log(s, AV_LOG_ERROR, "Invalid attached picture size: %d.\n", len);
         if (s->error_recognition & AV_EF_EXPLODE)
             ret = AVERROR_INVALIDDATA;

More information about the ffmpeg-cvslog mailing list