[FFmpeg-cvslog] omadec: Properly check lengths before incrementing the position

Martin Storsjö git at videolan.org
Thu Jan 16 21:57:37 CET 2014


ffmpeg | branch: release/0.10 | Martin Storsjö <martin at martin.st> | Wed Sep 11 14:54:05 2013 +0300| [7981b5c20e614e792967f17d09cf1adfb07ae254] | committer: Luca Barbato

omadec: Properly check lengths before incrementing the position

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
Signed-off-by: Martin Storsjö <martin at martin.st>
(cherry picked from commit 342c43d154e586bc022c86b168fe8d36f69da9d3)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
(cherry picked from commit 9eba02d5dd7036294ea350cb772822deec95b867)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7981b5c20e614e792967f17d09cf1adfb07ae254
---

 libavformat/omadec.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/omadec.c b/libavformat/omadec.c
index 9e8b43b..98ba1c5 100644
--- a/libavformat/omadec.c
+++ b/libavformat/omadec.c
@@ -170,7 +170,11 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, unsigned size,
     taglen = AV_RB32(&enc_header[pos+32]);
     datalen = AV_RB32(&enc_header[pos+36]) >> 4;
 
-    pos += 44 + taglen;
+    pos += 44;
+    if (size - pos < taglen)
+        return -1;
+
+    pos += taglen;
 
     if (datalen << 4 > size - pos)
         return -1;



More information about the ffmpeg-cvslog mailing list