[FFmpeg-devel] [PATCH] avformat/icodec: Fix crash probing fuzzed file
Michael Bradshaw
mjbshaw at gmail.com
Mon Feb 15 20:01:20 CET 2016
On Mon, Feb 15, 2016 at 9:57 AM, Mark Harris <mark.hsj at gmail.com> wrote:
> Avoid invalid memory read/crash when ico offset >= 0xfffffff8.
> Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
> ---
> libavformat/icodec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/icodec.c b/libavformat/icodec.c
> index 6ddb901..8f84337 100644
> --- a/libavformat/icodec.c
> +++ b/libavformat/icodec.c
> @@ -60,7 +60,7 @@ static int probe(AVProbeData *p)
> offset = AV_RL32(p->buf + 18 + i * 16);
> if (offset < 22)
> return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> - if (offset + 8 > p->buf_size)
> + if (offset > p->buf_size - 8)
Is AVProbeData.buf_size guaranteed to be >= 8?
> return AVPROBE_SCORE_MAX / 4 + FFMIN(i, 1);
> if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
> return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> --
> 2.7.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
More information about the ffmpeg-devel
mailing list