[FFmpeg-cvslog] avformat/mpc8: fix hang with fuzzed file
wm4
git at videolan.org
Wed Feb 4 00:48:14 CET 2015
ffmpeg | branch: master | wm4 <nfxjfg at googlemail.com> | Tue Feb 3 19:04:12 2015 +0100| [56cc024220886927350cfc26ee695062ca7ecaf4] | committer: Michael Niedermayer
avformat/mpc8: fix hang with fuzzed file
This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.
Fixes ticket #4262.
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56cc024220886927350cfc26ee695062ca7ecaf4
---
libavformat/mpc8.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index a15dc25..722d0ee 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -223,6 +223,10 @@ static int mpc8_read_header(AVFormatContext *s)
while(!avio_feof(pb)){
pos = avio_tell(pb);
mpc8_get_chunk_header(pb, &tag, &size);
+ if (size < 0) {
+ av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+ return AVERROR_INVALIDDATA;
+ }
if(tag == TAG_STREAMHDR)
break;
mpc8_handle_chunk(s, tag, pos, size);
More information about the ffmpeg-cvslog
mailing list