[FFmpeg-cvslog] r16846 - trunk/libavformat/4xm.c

michael subversion
Wed Jan 28 14:37:26 CET 2009


Author: michael
Date: Wed Jan 28 14:37:26 2009
New Revision: 16846

Log:
Fix remotely exploitable arbitrary code execution vulnerability.
Found by Tobias Klein / tk // trapkit / de /
See: http://www.trapkit.de/advisories/TKADV2009-004.txt

Modified:
   trunk/libavformat/4xm.c

Modified: trunk/libavformat/4xm.c
==============================================================================
--- trunk/libavformat/4xm.c	Wed Jan 28 12:12:19 2009	(r16845)
+++ trunk/libavformat/4xm.c	Wed Jan 28 14:37:26 2009	(r16846)
@@ -166,12 +166,13 @@ static int fourxm_read_header(AVFormatCo
                 goto fail;
             }
             current_track = AV_RL32(&header[i + 8]);
+            if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
+                av_log(s, AV_LOG_ERROR, "current_track too large\n");
+                ret= -1;
+                goto fail;
+            }
             if (current_track + 1 > fourxm->track_count) {
                 fourxm->track_count = current_track + 1;
-                if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)){
-                    ret= -1;
-                    goto fail;
-                }
                 fourxm->tracks = av_realloc(fourxm->tracks,
                     fourxm->track_count * sizeof(AudioTrack));
                 if (!fourxm->tracks) {




More information about the ffmpeg-cvslog mailing list