From 0838cfdc8a10185604db5cd9d6bffad71279a0e8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 28 Jan 2009 13:37:26 +0000 Subject: [PATCH] Fix remotely exploitable arbitrary code execution vulnerability. Found by Tobias Klein / tk // trapkit / de / See: http://www.trapkit.de/advisories/TKADV2009-004.txt Originally committed as revision 16846 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavformat/4xm.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 513f51845a..74522f8d27 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -166,12 +166,13 @@ static int fourxm_read_header(AVFormatContext *s, goto fail; } current_track = AV_RL32(&header[i + 8]); + if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){ + av_log(s, AV_LOG_ERROR, "current_track too large\n"); + ret= -1; + goto fail; + } if (current_track + 1 > fourxm->track_count) { fourxm->track_count = current_track + 1; - if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)){ - ret= -1; - goto fail; - } fourxm->tracks = av_realloc(fourxm->tracks, fourxm->track_count * sizeof(AudioTrack)); if (!fourxm->tracks) {