Module: libav Branch: release/0.8 Commit: 486c45767587151b517bb6fde602d43d178da203
Author: Martin Storsjö <[email protected]> Committer: Luca Barbato <[email protected]> Date: Wed Sep 11 22:47:06 2013 +0300 mpc8: Check the seek table size parsed from the bitstream Limit the size to INT_MAX/2 (for simplicity) to be sure that size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] Signed-off-by: Martin Storsjö <[email protected]> (cherry picked from commit 459f2b393a3f89ed08d10fbceb4738d1429f268e) Signed-off-by: Luca Barbato <[email protected]> (cherry picked from commit f8a72f041c049e812dfa1f32156327e9778f5710) --- libavformat/mpc8.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index d956049..97a9b01 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -143,6 +143,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_log(s, AV_LOG_ERROR, "No seek table at given position\n"); return; } + if (size < 0 || size >= INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Bad seek table size\n"); + return; + } if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE))) return; avio_read(s->pb, buf, size); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
