[FFmpeg-devel] [PATCH] Fix 'while' loop condition to prevent movtext crashes by tracking packet size
Philip Langdale
philipl at overt.org
Tue May 19 04:37:55 CEST 2015
On Tue, 19 May 2015 03:47:50 +0530
Niklesh Lalwani <niklesh.lalwani at iitb.ac.in> wrote:
> Updated patch.
>
> -Niklesh
> + while (tracksize + 8 <= avpkt->size) {
> + // A box is a minimum of 8 bytes.
> + tsmb = ptr + tracksize - 2;
> tsmb_size = AV_RB32(tsmb);
> tsmb += 4;
> tsmb_type = AV_RB32(tsmb);
> tsmb += 4;
>
> + if (tracksize + tsmb_size > avpkt->size)
> + break;
> +
> if (tsmb_type == MKBETAG('s','t','y','l')) {
>
You need to make sure you have two more bytes to read here first.
> style_entries = AV_RB16(tsmb);
> tsmb += 2;
>
> + // A single style record is of length 12 bytes.
> + if (tracksize + 10 + style_entries * 12 >
> avpkt->size)
> + break;
> +
Rest looks good. Thanks!
--phil
More information about the ffmpeg-devel
mailing list