[FFmpeg-devel] [PATCH] nutdec: reject negative sm_size
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Sat Dec 19 12:19:44 CET 2015
On 19.12.2015 01:51, Michael Niedermayer wrote:
> On Fri, Dec 18, 2015 at 05:22:31PM +0100, Andreas Cadhalpun wrote:
>> If it is negative, it makes size larger than the size of the packet
>> buffer, causing invalid writes in avio_read.
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
>> ---
>> libavformat/nutdec.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
>> index 286d1ee..47ae7a7 100644
>> --- a/libavformat/nutdec.c
>> +++ b/libavformat/nutdec.c
>> @@ -1146,6 +1146,11 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
>> goto fail;
>> }
>> sm_size = avio_tell(bc) - pkt->pos;
>> + if (sm_size < 0) {
>
> did sm_size overflow and should be 64bit ?
No.
> did the byte position (avio_tell) move backward ?
Yes.
> (this should not happen)
In that case, the check needs to be moved to read_sm_data.
Patch doing that is attached.
Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-nutdec-reject-negative-value_len-in-read_sm_data.patch
Type: text/x-diff
Size: 1243 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151219/fe2dde02/attachment.patch>
More information about the ffmpeg-devel
mailing list