[FFmpeg-cvslog] avformat/asfdec_o: Check size_bmp more fully
Michael Niedermayer
git at videolan.org
Thu Aug 16 00:49:33 EEST 2018
ffmpeg | branch: release/3.2 | Michael Niedermayer <michael at niedermayer.cc> | Tue Jul 3 21:01:23 2018 +0200| [67149cb2f68e3e96cd75804d83827ccd03386695] | committer: James Almer
avformat/asfdec_o: Check size_bmp more fully
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7
Found-by: Paul Ch <paulcher at icloud.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869)
Signed-off-by: James Almer <jamrial at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67149cb2f68e3e96cd75804d83827ccd03386695
---
libavformat/asfdec_o.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 593c010204..3f43fd1b47 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -704,7 +704,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag);
size_bmp = FFMAX(size_asf, size_bmp);
- if (size_bmp > BMP_HEADER_SIZE) {
+ if (size_bmp > BMP_HEADER_SIZE &&
+ size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
int ret;
st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE;
if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +
More information about the ffmpeg-cvslog
mailing list