wtv: Add more sanity checks for a length read from the file

Also make sure the existing length check can't overflow.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 83c285f880)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 78dc022f6f)
This commit is contained in:
Martin Storsjö 2013-09-19 16:55:13 +03:00 committed by Luca Barbato
parent e80071892b
commit f23b1cc7d9
1 changed files with 6 additions and 1 deletions

View File

@ -273,7 +273,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
dir_length = AV_RL16(buf + 16); dir_length = AV_RL16(buf + 16);
file_length = AV_RL64(buf + 24); file_length = AV_RL64(buf + 24);
name_size = 2 * AV_RL32(buf + 32); name_size = 2 * AV_RL32(buf + 32);
if (buf + 48 + name_size > buf_end) { if (name_size < 0) {
av_log(s, AV_LOG_ERROR,
"bad filename length, remaining directory entries ignored\n");
break;
}
if (48 + name_size > buf_end - buf) {
av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n"); av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
break; break;
} }