Module: libav
Branch: release/0.7
Commit: b15e85d8207bf644e5fc8837b4fad2ae3f33d021
Author: Michael Niedermayer <michae...@gmx.at>
Committer: Reinhard Tartler <siret...@tauware.de>
Date: Wed Sep 7 14:12:42 2011 +0200
rtpdec_asf: Fix integer underflow that could allow remote code execution
Fixes MSVR-11-0088
Fixes CVE-2011-4031
Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michae...@gmx.at>
Signed-off-by: Martin Storsjö <mar...@martin.st>
(cherry picked from commit 5ea091fb5a12dc0210b8efdf30b573b87e21652b)
Signed-off-by: Reinhard Tartler <siret...@tauware.de>
---
libavformat/rtpdec_asf.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index 287025f..9d8c87b 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s,
PayloadContext *asf,
int cur_len = start_off + len_off - off;
int prev_len = out_len;
+ void *newmem;
out_len += cur_len;
- asf->buf = av_realloc(asf->buf, out_len);
+ if (FFMIN(cur_len, len - off) < 0)
+ return -1;
+ newmem = av_realloc(asf->buf, out_len);
+ if (!newmem)
+ return -1;
+ asf->buf = newmem;
memcpy(asf->buf + prev_len, buf + off,
FFMIN(cur_len, len - off));
avio_skip(pb, cur_len);
_______________________________________________
libav-commits mailing list
libav-commits@libav.org
https://lists.libav.org/mailman/listinfo/libav-commits
