[FFmpeg-devel] [PATCH] avformat/icodec: Fix crash probing fuzzed file
Michael Niedermayer
michael at niedermayer.cc
Mon Feb 15 20:02:45 CET 2016
On Mon, Feb 15, 2016 at 09:57:51AM -0800, Mark Harris wrote:
> Avoid invalid memory read/crash when ico offset >= 0xfffffff8.
> Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
> ---
> libavformat/icodec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libavformat/icodec.c b/libavformat/icodec.c
> index 6ddb901..8f84337 100644
> --- a/libavformat/icodec.c
> +++ b/libavformat/icodec.c
> @@ -60,7 +60,7 @@ static int probe(AVProbeData *p)
> offset = AV_RL32(p->buf + 18 + i * 16);
> if (offset < 22)
> return FFMIN(i, AVPROBE_SCORE_MAX / 4);
> - if (offset + 8 > p->buf_size)
> + if (offset > p->buf_size - 8)
buf_size - 8 can underflow or more precissely is not guranteed to be
representable as unsigned while the compare is using unsigned
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
If a bugfix only changes things apparently unrelated to the bug with no
further explanation, that is a good sign that the bugfix is wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20160215/4ed13ce8/attachment.sig>
More information about the ffmpeg-devel
mailing list