[MPlayer-dev-eng] [patch] backports/fixes from uoti demux_mkv.c for comp_algo==3

Reimar Döffinger Reimar.Doeffinger at gmx.de
Thu Aug 12 19:46:27 CEST 2010


On Thu, Aug 12, 2010 at 09:33:40PM +0400, Yuriy Kaminskiy wrote:
> +        } else if (track->encodings[i].comp_algo == 3) {
> +            modified = 1;
> +            *dest = malloc(*size + track->encodings[i].comp_settings_len);

Integer overflow?

> +            memcpy(*dest, track->encodings[i].comp_settings, track->encodings[i].comp_settings_len);
> +            memcpy(*dest + track->encodings[i].comp_settings_len, src, *size);

Possibly exploitable due to these

> +            *size += track->encodings[i].comp_settings_len;

And code duplication with the same integer overflow issue.


More information about the MPlayer-dev-eng mailing list