[FFmpeg-cvslog] r16846 - trunk/libavformat/4xm.c
michael
subversion
Wed Jan 28 14:37:26 CET 2009
Author: michael
Date: Wed Jan 28 14:37:26 2009
New Revision: 16846
Log:
Fix remotely exploitable arbitrary code execution vulnerability.
Found by Tobias Klein / tk // trapkit / de /
See: http://www.trapkit.de/advisories/TKADV2009-004.txt
Modified:
trunk/libavformat/4xm.c
Modified: trunk/libavformat/4xm.c
==============================================================================
--- trunk/libavformat/4xm.c Wed Jan 28 12:12:19 2009 (r16845)
+++ trunk/libavformat/4xm.c Wed Jan 28 14:37:26 2009 (r16846)
@@ -166,12 +166,13 @@ static int fourxm_read_header(AVFormatCo
goto fail;
}
current_track = AV_RL32(&header[i + 8]);
+ if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
+ av_log(s, AV_LOG_ERROR, "current_track too large\n");
+ ret= -1;
+ goto fail;
+ }
if (current_track + 1 > fourxm->track_count) {
fourxm->track_count = current_track + 1;
- if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)){
- ret= -1;
- goto fail;
- }
fourxm->tracks = av_realloc(fourxm->tracks,
fourxm->track_count * sizeof(AudioTrack));
if (!fourxm->tracks) {
More information about the ffmpeg-cvslog
mailing list