[FFmpeg-cvslog] avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write()

Michael Niedermayer git at videolan.org
Wed Jun 17 22:09:37 CEST 2015


ffmpeg | branch: release/2.2 | Michael Niedermayer <michaelni at gmx.at> | Mon May 11 15:23:51 2015 +0200| [d27b9d3bd1d216ec98807a8d7f1e04aab3975d8c] | committer: Michael Niedermayer

avformat/vorbiscomment: Check entry length in ff_vorbiscomment_write()

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit eca38864a6ce5053e463b8d3fc22b22bc9a49578)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d27b9d3bd1d216ec98807a8d7f1e04aab3975d8c
---

 libavformat/vorbiscomment.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/vorbiscomment.c b/libavformat/vorbiscomment.c
index f17a0c1..7ca919c 100644
--- a/libavformat/vorbiscomment.c
+++ b/libavformat/vorbiscomment.c
@@ -63,8 +63,10 @@ int ff_vorbiscomment_write(uint8_t **p, AVDictionary **m,
         AVDictionaryEntry *tag = NULL;
         bytestream_put_le32(p, count);
         while ((tag = av_dict_get(*m, "", tag, AV_DICT_IGNORE_SUFFIX))) {
-            unsigned int len1 = strlen(tag->key);
-            unsigned int len2 = strlen(tag->value);
+            int64_t len1 = strlen(tag->key);
+            int64_t len2 = strlen(tag->value);
+            if (len1+1+len2 > UINT32_MAX)
+                return AVERROR(EINVAL);
             bytestream_put_le32(p, len1+1+len2);
             bytestream_put_buffer(p, tag->key, len1);
             bytestream_put_byte(p, '=');



More information about the ffmpeg-cvslog mailing list