RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2024-12-22 07:20:45 +00:00
Code Issues Projects Releases Wiki Activity

mpc8: Check the seek table size parsed from the bitstream

Browse Source 
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Martin Storsjö 2013-09-11 22:47:06 +03:00
parent 0d61f26001
commit 459f2b393a
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavformat/mpc8.c
View File

@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
av_log(s, AV_LOG_ERROR, "No seek table at given position\n"); av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
return; return;
} }
if (size < 0 || size >= INT_MAX / 2) {
av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
return;
}
if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE))) if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
return; return;
avio_read(s->pb, buf, size); avio_read(s->pb, buf, size);