avformat/mms: Add missing chunksize check

Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch <paulcher@icloud.com> 1st hunk by Paul Ch <paulcher@icloud.com> Tested-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit cced03dd66) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2018-07-03 20:33:04 +02:00 · 2018-07-03 20:33:04 +02:00 · 4d77a4a54d
parent 9bb3047060
commit 4d77a4a54d
1 changed files with 26 additions and 18 deletions
--- a/libavformat/mms.c
+++ b/libavformat/mms.c
@ -94,6 +94,7 @@ int ff_mms_asf_header_parser(MMSContext *mms)
                }
            }
        } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) {
+            if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) {
                flags     = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
                stream_id = flags & 0x7F;
                //The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size,
@ -113,6 +114,7 @@ int ff_mms_asf_header_parser(MMSContext *mms)
                           "Corrupt stream (too many A/V streams)\n");
                    return AVERROR_INVALIDDATA;
                }
+            }
        } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) {
            if (end - p >= 88) {
                int stream_count = AV_RL16(p + 84), ext_len_count = AV_RL16(p + 86);
@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms)
            }
        } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
            chunksize = 46; // see references [2] section 3.4. This should be set 46.
+            if (chunksize > end - p) {
+                av_log(NULL, AV_LOG_ERROR,
+                    "Corrupt stream (header chunksize %"PRId64" is invalid)\n",
+                    chunksize);
+                return AVERROR_INVALIDDATA;
+            }
        }
        p += chunksize;
    }