RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

flac_picture: prevent a possible out of bound write 

At "mimetype[len] = 0;" mimetype is a 64 element array and len might be
equal to or greater than that.

CC: libav-stable@libav.org
Bug-Id: CID 1061055
This commit is contained in:
Vittorio Giovara 2014-10-20 14:11:21 +01:00
parent f1ed83e23a
commit 0b66fb4505
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavformat/flac_picture.c
View File

@ -31,8 +31,8 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
uint8_t mimetype[64], *desc = NULL; uint8_t mimetype[64], *desc = NULL;
AVIOContext *pb = NULL; AVIOContext *pb = NULL;
AVStream *st; AVStream *st;
int type, width, height; int width, height, ret = 0;
int len, ret = 0; unsigned int type, len;
pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL); pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL);
if (!pb) if (!pb)
@ -40,7 +40,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* read the picture type */ /* read the picture type */
type = avio_rb32(pb); type = avio_rb32(pb);
if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types) || type < 0) { if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type); av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
if (s->error_recognition & AV_EF_EXPLODE) { if (s->error_recognition & AV_EF_EXPLODE) {
ret = AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;
@ -51,7 +51,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* picture mimetype */ /* picture mimetype */
len = avio_rb32(pb); len = avio_rb32(pb);
if (len <= 0 || if (!len || len >= 64 ||
avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) { avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) {
av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached " av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
"picture.\n"); "picture.\n");
@ -100,7 +100,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* picture data */ /* picture data */
len = avio_rb32(pb); len = avio_rb32(pb);
if (len <= 0) { if (!len) {
av_log(s, AV_LOG_ERROR, "Invalid attached picture size: %d.\n", len); av_log(s, AV_LOG_ERROR, "Invalid attached picture size: %d.\n", len);
if (s->error_recognition & AV_EF_EXPLODE) if (s->error_recognition & AV_EF_EXPLODE)
ret = AVERROR_INVALIDDATA; ret = AVERROR_INVALIDDATA;