[FFmpeg-cvslog] wtvdec: fix name_size check to consider integer overflows.
Michael Niedermayer
git at videolan.org
Sat Apr 14 18:58:39 CEST 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sat Apr 14 18:32:36 2012 +0200| [c42efad3c34cace09555e05fd0cb81cb59cc726f] | committer: Michael Niedermayer
wtvdec: fix name_size check to consider integer overflows.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c42efad3c34cace09555e05fd0cb81cb59cc726f
---
libavformat/wtvdec.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 537dc8e..a2a26c2 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -258,7 +258,7 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
dir_length = AV_RL16(buf + 16);
file_length = AV_RL64(buf + 24);
name_size = 2 * AV_RL32(buf + 32);
- if (buf + 48 + name_size > buf_end) {
+ if (buf + 48 + (int64_t)name_size > buf_end || name_size<0) {
av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
break;
}
More information about the ffmpeg-cvslog
mailing list