[libav-devel] [PATCH][Release/11] asfenc: Check pts leading to integer overflow

Vittorio Giovara Thu, 03 Mar 2016 07:30:34 -0800

From: Michael Niedermayer <mich...@niedermayer.cc>

Bug-Id: CVE-2016-2326
Sample-Id: 
0063df8be3aaa30dd6d76f59c8f818c8/signal_sigsegv_7b7b59_3634_bf418b6822bbfa68734411d96b667be3.mov


Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
Note: untested, people with the sample please confirm.
Vittorio

 libavformat/asfenc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c
index 90d5c26..87993b6 100644
--- a/libavformat/asfenc.c
+++ b/libavformat/asfenc.c
@@ -964,6 +964,11 @@ static int asf_write_packet(AVFormatContext *s, AVPacket 
*pkt)
 
     pts = (pkt->pts != AV_NOPTS_VALUE) ? pkt->pts : pkt->dts;
     av_assert0(pts != AV_NOPTS_VALUE);
+    if (   pts < - PREROLL_TIME
+        || pts > (INT_MAX-3)/10000LL * ASF_INDEXED_INTERVAL - PREROLL_TIME) {
+        av_log(s, AV_LOG_ERROR, "input pts %"PRId64" is invalid\n", pts);
+        return AVERROR(EINVAL);
+    }
     pts *= 10000;
     asf->duration = FFMAX(asf->duration, pts + pkt->duration * 10000);
 
-- 
2.7.0

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH][Release/11] asfenc: Check pts leading to integer overflow

Reply via email to