vlc | branch: master | Hugo Beauzée-Luyssen <h...@beauzee.fr> | Mon Nov 9 09:54:27 2020 +0100| [a4b1de184faf86617b4432954c1984e0027fb246] | committer: Hugo Beauzée-Luyssen
avi: Fix integer overflow Which would in turn cause a size verification failure, leading to a buffer overflow Reported by: Zhen Zhou, NSFOCUS Security Team > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a4b1de184faf86617b4432954c1984e0027fb246 --- modules/demux/avi/avi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c index 9174b3167b..c3aa70ef57 100644 --- a/modules/demux/avi/avi.c +++ b/modules/demux/avi/avi.c @@ -2933,7 +2933,7 @@ static void AVI_ExtractSubtitle( demux_t *p_demux, if( i_size < 6 || GetWLE( &p[0] ) != 0x04 ) goto exit; const unsigned i_payload = GetDWLE( &p[2] ); - if( i_size < 6 + i_payload || i_payload <= 0 ) + if( i_size - 6 < i_payload || i_payload == 0 ) goto exit; p += 6; i_size -= 6; _______________________________________________ vlc-commits mailing list vlc-commits@videolan.org https://mailman.videolan.org/listinfo/vlc-commits