[FFmpeg-devel] [PATCH] matroskadec: Fix a buffer overread

Sat Mar 6 13:24:14 CET 2010

David Conrad <lessen42 at gmail.com> writes:

> ---
>  libavformat/matroskadec.c |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
> index 84d06c7..3ee9f39 100644
> --- a/libavformat/matroskadec.c
> +++ b/libavformat/matroskadec.c
> @@ -1676,6 +1676,11 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
>                  int offset = 0, pkt_size = lace_size[n];
>                  uint8_t *pkt_data = data;
>
> +                if (lace_size[n] > size) {
> +                    av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
> +                    continue;
> +                }
> +
>                  if (encodings && encodings->scope & 1) {
>                      offset = matroska_decode_buffer(&pkt_data,&pkt_size, track);
>                      if (offset < 0)
> @@ -1727,6 +1732,7 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
>              if (timecode != AV_NOPTS_VALUE)
>                  timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
>              data += lace_size[n];
> +            size -= lace_size[n];
>          }
>      }

Looks correct to me.  Aurelien seems MIA so I'd suggest applying this
if it passes tests.

-- 
M?ns Rullg?rd
mans at mansr.com