[MPlayer-dev-eng] [patch] backports/fixes from uoti demux_mkv.c for comp_algo==3
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Thu Aug 12 19:46:27 CEST 2010
On Thu, Aug 12, 2010 at 09:33:40PM +0400, Yuriy Kaminskiy wrote:
> + } else if (track->encodings[i].comp_algo == 3) {
> + modified = 1;
> + *dest = malloc(*size + track->encodings[i].comp_settings_len);
Integer overflow?
> + memcpy(*dest, track->encodings[i].comp_settings, track->encodings[i].comp_settings_len);
> + memcpy(*dest + track->encodings[i].comp_settings_len, src, *size);
Possibly exploitable due to these
> + *size += track->encodings[i].comp_settings_len;
And code duplication with the same integer overflow issue.
More information about the MPlayer-dev-eng
mailing list