[FFmpeg-cvslog] 4xm: do not overread while parsing header
Luca Barbato
git at videolan.org
Tue Aug 27 15:59:04 CEST 2013
ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Wed Jun 5 18:56:28 2013 +0200| [3f71c0c1b08a815609fba9a9378171d1181083d3] | committer: Luca Barbato
4xm: do not overread while parsing header
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 42d73f7f6bea0ee0f64a3ad4882860ce5b923a11)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f71c0c1b08a815609fba9a9378171d1181083d3
---
libavformat/4xm.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 2396045..c0b3914 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
}
static int parse_vtrk(AVFormatContext *s,
- FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+ FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+ int left)
{
AVStream *st;
/* check that there is enough data */
- if (size != vtrk_SIZE) {
+ if (size != vtrk_SIZE || left < size + 8) {
return AVERROR_INVALIDDATA;
}
@@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s,
static int parse_strk(AVFormatContext *s,
- FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+ FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+ int left)
{
AVStream *st;
int track;
/* check that there is enough data */
- if (size != strk_SIZE)
+ if (size != strk_SIZE || left < size + 8)
return AVERROR_INVALIDDATA;
track = AV_RL32(buf + 8);
@@ -225,14 +227,20 @@ static int fourxm_read_header(AVFormatContext *s)
size = AV_RL32(&header[i + 4]);
if (fourcc_tag == std__TAG) {
+ if (header_size - i < 16) {
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
} else if (fourcc_tag == vtrk_TAG) {
- if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0)
+ if ((ret = parse_vtrk(s, fourxm, header + i, size,
+ header_size - i)) < 0)
goto fail;
i += 8 + size;
} else if (fourcc_tag == strk_TAG) {
- if ((ret = parse_strk(s, fourxm, header + i, size)) < 0)
+ if ((ret = parse_strk(s, fourxm, header + i, size,
+ header_size - i)) < 0)
goto fail;
i += 8 + size;
More information about the ffmpeg-cvslog
mailing list