[FFmpeg-cvslog] 4xm: do not overread while parsing header

Luca Barbato git at videolan.org
Tue Aug 27 15:59:04 CEST 2013


ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Wed Jun  5 18:56:28 2013 +0200| [3f71c0c1b08a815609fba9a9378171d1181083d3] | committer: Luca Barbato

4xm: do not overread while parsing header

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 42d73f7f6bea0ee0f64a3ad4882860ce5b923a11)

Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f71c0c1b08a815609fba9a9378171d1181083d3
---

 libavformat/4xm.c |   20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 2396045..c0b3914 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
 }
 
 static int parse_vtrk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
     AVStream *st;
     /* check that there is enough data */
-    if (size != vtrk_SIZE) {
+    if (size != vtrk_SIZE || left < size + 8) {
         return AVERROR_INVALIDDATA;
     }
 
@@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s,
 
 
 static int parse_strk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
     AVStream *st;
     int track;
     /* check that there is enough data */
-    if (size != strk_SIZE)
+    if (size != strk_SIZE || left < size + 8)
         return AVERROR_INVALIDDATA;
 
     track = AV_RL32(buf + 8);
@@ -225,14 +227,20 @@ static int fourxm_read_header(AVFormatContext *s)
         size       = AV_RL32(&header[i + 4]);
 
         if (fourcc_tag == std__TAG) {
+            if (header_size - i < 16) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
             fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
         } else if (fourcc_tag == vtrk_TAG) {
-            if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_vtrk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                 goto fail;
 
             i += 8 + size;
         } else if (fourcc_tag == strk_TAG) {
-            if ((ret = parse_strk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_strk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                 goto fail;
 
             i += 8 + size;



More information about the ffmpeg-cvslog mailing list