[FFmpeg-cvslog] matroskadec: fix integer underflow if header length < probe length.
Chris Evans
git at videolan.org
Tue Jul 26 00:53:24 CEST 2011
ffmpeg | branch: release/0.8 | Chris Evans <cevans at chromium.org> | Tue Jul 19 17:51:48 2011 -0700| [5fab0ccd81df0bc3fd6d16756006c260fdbca6e7] | committer: Reinhard Tartler
matroskadec: fix integer underflow if header length < probe length.
This fixes a crash with specifically crafted files.
Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
(cherry picked from commit 69619a13c3fef940cba545cf0a283ff22771dd71)
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5fab0ccd81df0bc3fd6d16756006c260fdbca6e7
---
libavformat/matroskadec.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 60f6c69..f74f76c 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -900,6 +900,8 @@ static int matroska_probe(AVProbeData *p)
* Not fully fool-proof, but good enough. */
for (i = 0; i < FF_ARRAY_ELEMS(matroska_doctypes); i++) {
int probelen = strlen(matroska_doctypes[i]);
+ if (total < probelen)
+ continue;
for (n = 4+size; n <= 4+size+total-probelen; n++)
if (!memcmp(p->buf+n, matroska_doctypes[i], probelen))
return AVPROBE_SCORE_MAX;
More information about the ffmpeg-cvslog
mailing list