[FFmpeg-cvslog] matroskadec: fix integer underflow if header length < probe length.

Chris Evans git at videolan.org
Tue Jul 26 00:53:24 CEST 2011


ffmpeg | branch: release/0.8 | Chris Evans <cevans at chromium.org> | Tue Jul 19 17:51:48 2011 -0700| [5fab0ccd81df0bc3fd6d16756006c260fdbca6e7] | committer: Reinhard Tartler

matroskadec: fix integer underflow if header length < probe length.

This fixes a crash with specifically crafted files.

Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
(cherry picked from commit 69619a13c3fef940cba545cf0a283ff22771dd71)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5fab0ccd81df0bc3fd6d16756006c260fdbca6e7
---

 libavformat/matroskadec.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 60f6c69..f74f76c 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -900,6 +900,8 @@ static int matroska_probe(AVProbeData *p)
      * Not fully fool-proof, but good enough. */
     for (i = 0; i < FF_ARRAY_ELEMS(matroska_doctypes); i++) {
         int probelen = strlen(matroska_doctypes[i]);
+        if (total < probelen)
+            continue;
         for (n = 4+size; n <= 4+size+total-probelen; n++)
             if (!memcmp(p->buf+n, matroska_doctypes[i], probelen))
                 return AVPROBE_SCORE_MAX;



More information about the ffmpeg-cvslog mailing list