[FFmpeg-cvslog] iff: fix integer overflow

Michael Niedermayer git at videolan.org
Thu Mar 14 17:48:10 CET 2013


ffmpeg | branch: release/1.1 | Michael Niedermayer <michaelni at gmx.at> | Tue Mar  5 01:35:28 2013 +0100| [f719e6566c08dc1e18cf1caf07ba8c0e93cd7283] | committer: Michael Niedermayer

iff: fix integer overflow

Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f719e6566c08dc1e18cf1caf07ba8c0e93cd7283
---

 libavformat/iff.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index 0e945da..ffd9231 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -249,6 +249,8 @@ static int iff_read_header(AVFormatContext *s)
             break;
 
         case ID_CMAP:
+            if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE)
+                return AVERROR_INVALIDDATA;
             st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE;
             st->codec->extradata      = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
             if (!st->codec->extradata)
@@ -409,6 +411,7 @@ static int iff_read_header(AVFormatContext *s)
             if (!st->codec->extradata)
                 return AVERROR(ENOMEM);
         }
+        av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE);
         buf = st->codec->extradata;
         bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE);
         bytestream_put_byte(&buf, iff->bitmap_compression);



More information about the ffmpeg-cvslog mailing list