[FFmpeg-devel] [PATCH] nutdec: reject negative sm_size
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Fri Dec 18 17:22:31 CET 2015
If it is negative, it makes size larger than the size of the packet
buffer, causing invalid writes in avio_read.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavformat/nutdec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 286d1ee..47ae7a7 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1146,6 +1146,11 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
goto fail;
}
sm_size = avio_tell(bc) - pkt->pos;
+ if (sm_size < 0) {
+ av_log(nut->avf, AV_LOG_ERROR, "negative sm_size %d\n", sm_size);
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
size -= sm_size;
pkt->size -= sm_size;
}
--
2.6.2
More information about the ffmpeg-devel
mailing list