[FFmpeg-cvslog] avformat/mpc8: fix hang with fuzzed file

wm4 git at videolan.org
Thu Mar 12 00:52:52 CET 2015


ffmpeg | branch: release/0.7 | wm4 <nfxjfg at googlemail.com> | Tue Feb  3 19:04:12 2015 +0100| [42b4ba4a8ae261609100ed41b773b26f9989941e] | committer: Michael Niedermayer

avformat/mpc8: fix hang with fuzzed file

This can lead to an endless loop by seeking back a few bytes after each
attempted chunk read. Assuming negative sizes are always invalid, this
is easy to fix. Other code in this demuxer treats negative sizes as
invalid as well.

Fixes ticket #4262.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 56cc024220886927350cfc26ee695062ca7ecaf4)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=42b4ba4a8ae261609100ed41b773b26f9989941e
---

 libavformat/mpc8.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index db23781..161cee3 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -204,6 +204,10 @@ static int mpc8_read_header(AVFormatContext *s, AVFormatParameters *ap)
     while(!url_feof(pb)){
         pos = avio_tell(pb);
         mpc8_get_chunk_header(pb, &tag, &size);
+        if (size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid chunk length\n");
+            return AVERROR_INVALIDDATA;
+        }
         if(tag == TAG_STREAMHDR)
             break;
         mpc8_handle_chunk(s, tag, pos, size);



More information about the ffmpeg-cvslog mailing list