On 26.06.2015 01:36, Michael Niedermayer wrote: > On Thu, Jun 25, 2015 at 11:46:41PM +0200, Andreas Cadhalpun wrote: >> Otherwise sm_size can be larger than size, which results in a negative >> packet size. >> >> Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> >> --- >> libavformat/nutdec.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) > > > >> >> diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c >> index 13fb399..43bd27b 100644 >> --- a/libavformat/nutdec.c >> +++ b/libavformat/nutdec.c >> @@ -888,7 +888,7 @@ fail: >> >> static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, >> int is_meta, int64_t maxpos) >> { >> - int count = ffio_read_varlen(bc); >> + int count; >> int skip_start = 0; >> int skip_end = 0; >> int channels = 0; >> @@ -898,6 +898,11 @@ static int read_sm_data(AVFormatContext *s, AVIOContext >> *bc, AVPacket *pkt, int >> int height = 0; >> int i, ret; >> >> + if (avio_tell(bc) >= maxpos) >> + return AVERROR_INVALIDDATA; >> + >> + count = ffio_read_varlen(bc); > > ffio_read_varlen() could move the position beyond maxpos yet return > 0 so the loop with teh checks inside is skiped
That is exactly the problem, because then sm_size can be larger than size. An alternative would be to directly check for that, like in attached patch. Best regards, Andreas
>From 25322c14b9ca46cc1c841dfdcc37ee42d16ea639 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> Date: Fri, 26 Jun 2015 19:25:05 +0200 Subject: [PATCH] nutdec: ensure non-negative packet size Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> --- libavformat/nutdec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 13fb399..3d6fb64 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1136,6 +1136,12 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) goto fail; } sm_size = avio_tell(bc) - pkt->pos; + if (size < sm_size) { + av_log(s, AV_LOG_ERROR, "size %d smaller than sm_size %d\n", + size, sm_size); + ret = AVERROR_INVALIDDATA; + goto fail; + } size -= sm_size; pkt->size -= sm_size; } -- 2.1.4
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel