[FFmpeg-cvslog] mpc8: Check the seek table size parsed from the bitstream
Martin Storsjö
git at videolan.org
Thu Sep 12 14:20:32 CEST 2013
ffmpeg | branch: master | Martin Storsjö <martin at martin.st> | Wed Sep 11 22:47:06 2013 +0300| [459f2b393a3f89ed08d10fbceb4738d1429f268e] | committer: Martin Storsjö
mpc8: Check the seek table size parsed from the bitstream
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
Signed-off-by: Martin Storsjö <martin at martin.st>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=459f2b393a3f89ed08d10fbceb4738d1429f268e
---
libavformat/mpc8.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index c3c70e0..29001b1 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
return;
}
+ if (size < 0 || size >= INT_MAX / 2) {
+ av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
+ return;
+ }
if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
return;
avio_read(s->pb, buf, size);
More information about the ffmpeg-cvslog
mailing list