[FFmpeg-devel] [PATCH] nutdec: check maxpos in read_sm_data before reading count
Michael Niedermayer
michaelni at gmx.at
Fri Jun 26 01:36:09 CEST 2015
On Thu, Jun 25, 2015 at 11:46:41PM +0200, Andreas Cadhalpun wrote:
> Otherwise sm_size can be larger than size, which results in a negative
> packet size.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavformat/nutdec.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
> index 13fb399..43bd27b 100644
> --- a/libavformat/nutdec.c
> +++ b/libavformat/nutdec.c
> @@ -888,7 +888,7 @@ fail:
>
> static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int is_meta, int64_t maxpos)
> {
> - int count = ffio_read_varlen(bc);
> + int count;
> int skip_start = 0;
> int skip_end = 0;
> int channels = 0;
> @@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
> int height = 0;
> int i, ret;
>
> + if (avio_tell(bc) >= maxpos)
> + return AVERROR_INVALIDDATA;
> +
> + count = ffio_read_varlen(bc);
ffio_read_varlen() could move the position beyond maxpos yet return
0 so the loop with teh checks inside is skiped
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Breaking DRM is a little like attempting to break through a door even
though the window is wide open and the only thing in the house is a bunch
of things you dont want and which you would get tomorrow for free anyway
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20150626/43f44fa6/attachment.asc>
More information about the ffmpeg-devel
mailing list