vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen | Mon Nov
9 09:54:27 2020 +0100| [56cbe9c4b59edbdc5e1bb2687992f3bbf492eccb] | committer:
Hugo Beauzée-Luyssen
avi: Fix integer overflow
Which would in turn cause a size verification failure, leading to a
buffer overflow
Reported by: Zhen Zhou, NSFOCUS Security Team
(cherry picked from commit a4b1de184faf86617b4432954c1984e0027fb246)
Signed-off-by: Hugo Beauzée-Luyssen
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=56cbe9c4b59edbdc5e1bb2687992f3bbf492eccb
---
modules/demux/avi/avi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index 9ca8043472..7868a0f90e 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -3078,7 +3078,7 @@ static void AVI_ExtractSubtitle( demux_t *p_demux,
if( i_size < 6 || GetWLE( [0] ) != 0x04 )
goto exit;
const unsigned i_payload = GetDWLE( [2] );
-if( i_size < 6 + i_payload || i_payload <= 0 )
+if( i_size - 6 < i_payload || i_payload == 0 )
goto exit;
p += 6;
i_size -= 6;
___
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits