RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-01-31 03:44:15 +00:00
Code Issues Projects Releases Wiki Activity

asfdec: dont truncate type 2-5 values

Browse Source 
Fixes use of uninitialized variables and possible out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-03-05 21:56:46 +01:00
parent 4c56b79a16
commit d929364814
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/asfdec.c
View File

@ -278,11 +278,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int
{ {
char *value; char *value;
int64_t off = avio_tell(s->pb); int64_t off = avio_tell(s->pb);
#define LEN 22
if ((unsigned)len >= (UINT_MAX - 1) / 2) if ((unsigned)len >= (UINT_MAX - LEN) / 2)
return; return;
value = av_malloc(2 * len + 1); value = av_malloc(2 * len + LEN);
if (!value) if (!value)
goto finish; goto finish;
@ -302,7 +303,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int
goto finish; goto finish;
} else if (type > 1 && type <= 5) { // boolean or DWORD or QWORD or WORD } else if (type > 1 && type <= 5) { // boolean or DWORD or QWORD or WORD
uint64_t num = get_value(s->pb, type, type2_size); uint64_t num = get_value(s->pb, type, type2_size);
snprintf(value, len, "%"PRIu64, num); snprintf(value, LEN, "%"PRIu64, num);
} else if (type == 6) { // (don't) handle GUID } else if (type == 6) { // (don't) handle GUID
av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key); av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key);
goto finish; goto finish;