[FFmpeg-devel] [PATCH] jvdec: avoid unsized overflow in comparison
Paul B Mahol
onemda at gmail.com
Sat Nov 7 06:07:29 CET 2015
On 11/6/15, Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> wrote:
> The return type of strlen is size_t, i.e. unsigned, so if pd->buf_size
> is 3, the right side overflows leading to a wrong result of the
> comparison and subsequently a heap buffer overflow.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavformat/jvdec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/jvdec.c b/libavformat/jvdec.c
> index 4d4f0c7..a31c723 100644
> --- a/libavformat/jvdec.c
> +++ b/libavformat/jvdec.c
> @@ -54,7 +54,7 @@ typedef struct JVDemuxContext {
>
> static int read_probe(AVProbeData *pd)
> {
> - if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) <=
> pd->buf_size - 4 &&
> + if (pd->buf[0] == 'J' && pd->buf[1] == 'V' && strlen(MAGIC) + 4 <=
> pd->buf_size &&
> !memcmp(pd->buf + 4, MAGIC, strlen(MAGIC)))
> return AVPROBE_SCORE_MAX;
> return 0;
> --
> 2.6.1
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
lgtm
More information about the ffmpeg-devel
mailing list