virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-04-14 00:58:38 +02:00
Code Issues Releases Activity

4xm: do not overread while parsing header

Browse Source 
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Luca Barbato 2013-06-05 18:56:28 +02:00
parent e7a44f87d0
commit 42d73f7f6b
1 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libavformat/4xm.c
View File

@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
} }
static int parse_vtrk(AVFormatContext *s, static int parse_vtrk(AVFormatContext *s,
FourxmDemuxContext *fourxm, uint8_t *buf, int size) FourxmDemuxContext *fourxm, uint8_t *buf, int size,
int left)
{ {
AVStream *st; AVStream *st;
/* check that there is enough data */ /* check that there is enough data */
if (size != vtrk_SIZE) { if (size != vtrk_SIZE || left < size + 8) {
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s,
static int parse_strk(AVFormatContext *s, static int parse_strk(AVFormatContext *s,
FourxmDemuxContext *fourxm, uint8_t *buf, int size) FourxmDemuxContext *fourxm, uint8_t *buf, int size,
int left)
{ {
AVStream *st; AVStream *st;
int track; int track;
/* check that there is enough data */ /* check that there is enough data */
if (size != strk_SIZE) if (size != strk_SIZE || left < size + 8)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
track = AV_RL32(buf + 8); track = AV_RL32(buf + 8);
@ -217,14 +219,20 @@ static int fourxm_read_header(AVFormatContext *s)
size = AV_RL32(&header[i + 4]); size = AV_RL32(&header[i + 4]);
if (fourcc_tag == std__TAG) { if (fourcc_tag == std__TAG) {
if (header_size - i < 16) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
} else if (fourcc_tag == vtrk_TAG) { } else if (fourcc_tag == vtrk_TAG) {
if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) if ((ret = parse_vtrk(s, fourxm, header + i, size,
header_size - i)) < 0)
goto fail; goto fail;
i += 8 + size; i += 8 + size;
} else if (fourcc_tag == strk_TAG) { } else if (fourcc_tag == strk_TAG) {
if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) if ((ret = parse_strk(s, fourxm, header + i, size,
header_size - i)) < 0)
goto fail; goto fail;
i += 8 + size; i += 8 + size;