[FFmpeg-cvslog] avformat/iff: check for possible overflow in 2nd argument of av_new_packet
Paul B Mahol
git at videolan.org
Fri Sep 25 21:31:44 CEST 2015
ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Fri Sep 25 21:21:24 2015 +0200| [aff3acc54c079c2e5720dae150b0d963fd8a9ab0] | committer: Paul B Mahol
avformat/iff: check for possible overflow in 2nd argument of av_new_packet
Signed-off-by: Paul B Mahol <onemda at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aff3acc54c079c2e5720dae150b0d963fd8a9ab0
---
libavformat/iff.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/iff.c b/libavformat/iff.c
index 8ea3b38..5973cde 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -721,11 +721,15 @@ static int iff_read_packet(AVFormatContext *s,
if (st->codec->codec_tag == ID_DSD || st->codec->codec_tag == ID_MAUD) {
ret = av_get_packet(pb, pkt, FFMIN(iff->body_end - pos, 1024 * st->codec->block_align));
} else {
+ if (iff->body_size > INT_MAX)
+ return AVERROR_INVALIDDATA;
ret = av_get_packet(pb, pkt, iff->body_size);
}
} else if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) {
uint8_t *buf;
+ if (iff->body_size > INT_MAX - 2)
+ return AVERROR_INVALIDDATA;
if (av_new_packet(pkt, iff->body_size + 2) < 0) {
return AVERROR(ENOMEM);
}
More information about the ffmpeg-cvslog
mailing list