[FFmpeg-devel] [PATCH] nutdec: reject negative sm_size
Michael Niedermayer
michael at niedermayer.cc
Sat Dec 19 01:51:47 CET 2015
On Fri, Dec 18, 2015 at 05:22:31PM +0100, Andreas Cadhalpun wrote:
> If it is negative, it makes size larger than the size of the packet
> buffer, causing invalid writes in avio_read.
>
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
> ---
> libavformat/nutdec.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
> index 286d1ee..47ae7a7 100644
> --- a/libavformat/nutdec.c
> +++ b/libavformat/nutdec.c
> @@ -1146,6 +1146,11 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
> goto fail;
> }
> sm_size = avio_tell(bc) - pkt->pos;
> + if (sm_size < 0) {
did sm_size overflow and should be 64bit ?
did the byte position (avio_tell) move backward ? (this should not
happen)
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Asymptotically faster algorithms should always be preferred if you have
asymptotical amounts of data
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20151219/34fd3987/attachment.sig>
More information about the ffmpeg-devel
mailing list