[FFmpeg-devel] [PATCH] nutdec: check maxpos in read_sm_data before reading count
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Thu Jun 25 23:46:41 CEST 2015
Otherwise sm_size can be larger than size, which results in a negative
packet size.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavformat/nutdec.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 13fb399..43bd27b 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -888,7 +888,7 @@ fail:
static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int is_meta, int64_t maxpos)
{
- int count = ffio_read_varlen(bc);
+ int count;
int skip_start = 0;
int skip_end = 0;
int channels = 0;
@@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
int height = 0;
int i, ret;
+ if (avio_tell(bc) >= maxpos)
+ return AVERROR_INVALIDDATA;
+
+ count = ffio_read_varlen(bc);
+
for (i=0; i<count; i++) {
uint8_t name[256], str_value[256], type_str[256];
int value;
--
2.1.4
More information about the ffmpeg-devel
mailing list