[FFmpeg-cvslog] avformat/icodec: Fix crash probing fuzzed file
Mark Harris
git at videolan.org
Sun Nov 27 01:41:15 EET 2016
ffmpeg | branch: release/3.0 | Mark Harris <mark.hsj at gmail.com> | Mon Feb 15 23:52:13 2016 -0800| [9375a7d85e8bc78dbb5cc101c37ff7c51f7d9b24] | committer: Andreas Cadhalpun
avformat/icodec: Fix crash probing fuzzed file
Avoid invalid memory read/crash when frame offset >= 0xfffffff8.
Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
(The previous commit verifies that p->buf_size >= 22.)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 56e2cd9c042e05255aa28487694c29aaec023263)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9375a7d85e8bc78dbb5cc101c37ff7c51f7d9b24
---
libavformat/icodec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/icodec.c b/libavformat/icodec.c
index 20721d5..bd83ef4 100644
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -60,7 +60,7 @@ static int probe(AVProbeData *p)
offset = AV_RL32(p->buf + 18 + i * 16);
if (offset < 22)
return FFMIN(i, AVPROBE_SCORE_MAX / 4);
- if (offset + 8 > p->buf_size)
+ if (offset > p->buf_size - 8)
return AVPROBE_SCORE_MAX / 4 + FFMIN(i, 1);
if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
return FFMIN(i, AVPROBE_SCORE_MAX / 4);
More information about the ffmpeg-cvslog
mailing list