[FFmpeg-cvslog] avformat/smacker: fix integer overflow with pts_inc
Michael Niedermayer
git at videolan.org
Sun Dec 6 04:41:23 CET 2015
ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sat Dec 5 13:06:16 2015 +0100| [0e3ec7db5334e580b2d85153d025042c8236901e] | committer: Michael Niedermayer
avformat/smacker: fix integer overflow with pts_inc
Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e3ec7db5334e580b2d85153d025042c8236901e
---
libavformat/smacker.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 5dcf4ad..de8bbdb 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s)
smk->height = avio_rl32(pb);
smk->frames = avio_rl32(pb);
smk->pts_inc = (int32_t)avio_rl32(pb);
+ if (smk->pts_inc > INT_MAX / 100) {
+ av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
+ return AVERROR_INVALIDDATA;
+ }
+
smk->flags = avio_rl32(pb);
if(smk->flags & SMACKER_FLAG_RING_FRAME)
smk->frames++;
More information about the ffmpeg-cvslog
mailing list