[FFmpeg-cvslog] avformat/mvdec: Check size for validity in var_read_string()
Michael Niedermayer
git at videolan.org
Tue Oct 28 17:52:15 CET 2014
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Oct 28 16:42:05 2014 +0100| [86e574928536ee5249d9cf4da9f5d8714611d706] | committer: Michael Niedermayer
avformat/mvdec: Check size for validity in var_read_string()
Fixes out of array read
Fixes: asan_heap-oob_49b1e5_12_011.movie
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=86e574928536ee5249d9cf4da9f5d8714611d706
---
libavformat/mvdec.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 6e7c3ff..0f09498 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -57,7 +57,12 @@ static int mv_probe(AVProbeData *p)
static char *var_read_string(AVIOContext *pb, int size)
{
int n;
- char *str = av_malloc(size + 1);
+ char *str;
+
+ if (size < 0 || size == INT_MAX)
+ return NULL;
+
+ str = av_malloc(size + 1);
if (!str)
return NULL;
n = avio_get_str(pb, size, str, size + 1);
More information about the ffmpeg-cvslog
mailing list