[FFmpeg-cvslog] avformat/paf: Fix integer overflow and out of array read
Michael Niedermayer
git at videolan.org
Thu Aug 29 02:05:06 CEST 2013
ffmpeg | branch: release/1.0 | Michael Niedermayer <michaelni at gmx.at> | Fri Aug 9 13:23:10 2013 +0200| [278fbfc6bf3a501eb0af5ce07a528785ce8715a7] | committer: Michael Niedermayer
avformat/paf: Fix integer overflow and out of array read
Found-by: Laurent Butti <laurentb at gmail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit f58cd2867a8af2eed13acdd21d067b48249b14a1)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=278fbfc6bf3a501eb0af5ce07a528785ce8715a7
---
libavformat/paf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libavformat/paf.c b/libavformat/paf.c
index 8fe2ac5..e695ace 100644
--- a/libavformat/paf.c
+++ b/libavformat/paf.c
@@ -231,10 +231,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt)
p->current_frame_block++;
}
- size = p->video_size - p->frames_offset_table[p->current_frame];
- if (size < 1)
+ if (p->frames_offset_table[p->current_frame] >= p->video_size)
return AVERROR_INVALIDDATA;
+ size = p->video_size - p->frames_offset_table[p->current_frame];
+
if (av_new_packet(pkt, size) < 0)
return AVERROR(ENOMEM);
More information about the ffmpeg-cvslog
mailing list