[FFmpeg-cvslog] avformat/paf: Fix integer overflow and out of array read

Michael Niedermayer git at videolan.org
Fri Aug 9 14:22:34 CEST 2013


ffmpeg | branch: release/2.0 | Michael Niedermayer <michaelni at gmx.at> | Fri Aug  9 13:23:10 2013 +0200| [50f9c4acc3ea82a159713151e39f0f70c79aaf71] | committer: Michael Niedermayer

avformat/paf: Fix integer overflow and out of array read

Found-by:  Laurent Butti <laurentb at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit f58cd2867a8af2eed13acdd21d067b48249b14a1)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50f9c4acc3ea82a159713151e39f0f70c79aaf71
---

 libavformat/paf.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/paf.c b/libavformat/paf.c
index 09786eb..09aefe6 100644
--- a/libavformat/paf.c
+++ b/libavformat/paf.c
@@ -233,10 +233,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
         p->current_frame_block++;
     }
 
-    size = p->video_size - p->frames_offset_table[p->current_frame];
-    if (size < 1)
+    if (p->frames_offset_table[p->current_frame] >= p->video_size)
         return AVERROR_INVALIDDATA;
 
+    size = p->video_size - p->frames_offset_table[p->current_frame];
+
     if (av_new_packet(pkt, size) < 0)
         return AVERROR(ENOMEM);
 



More information about the ffmpeg-cvslog mailing list