Module: libav Branch: release/0.7 Commit: b15e85d8207bf644e5fc8837b4fad2ae3f33d021
Author: Michael Niedermayer <michae...@gmx.at> Committer: Reinhard Tartler <siret...@tauware.de> Date: Wed Sep 7 14:12:42 2011 +0200 rtpdec_asf: Fix integer underflow that could allow remote code execution Fixes MSVR-11-0088 Fixes CVE-2011-4031 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer <michae...@gmx.at> Signed-off-by: Martin Storsjö <mar...@martin.st> (cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b) Signed-off-by: Reinhard Tartler <siret...@tauware.de> --- libavformat/rtpdec_asf.c | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 287025f..9d8c87b 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; + void *newmem; out_len += cur_len; - asf->buf = av_realloc(asf->buf, out_len); + if (FFMIN(cur_len, len - off) < 0) + return -1; + newmem = av_realloc(asf->buf, out_len); + if (!newmem) + return -1; + asf->buf = newmem; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); _______________________________________________ libav-commits mailing list libav-commits@libav.org https://lists.libav.org/mailman/listinfo/libav-commits