diff options
| author | Martin Storsjö <martin@martin.st> | 2013-09-11 22:47:06 +0300 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2014-01-07 09:43:56 +0100 |
| commit | 486c45767587151b517bb6fde602d43d178da203 (patch) | |
| tree | 66ce02a61aebe2eb50e50bc917a62b955258e3bc | |
| parent | b81d804f2ac113a46d1736751401d78f998db56d (diff) | |
| download | ffmpeg-486c45767587151b517bb6fde602d43d178da203.tar.gz | |
mpc8: Check the seek table size parsed from the bitstream
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 459f2b393a3f89ed08d10fbceb4738d1429f268e)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f8a72f041c049e812dfa1f32156327e9778f5710)
| -rw-r--r-- | libavformat/mpc8.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c index d9560496f7..97a9b01025 100644 --- a/libavformat/mpc8.c +++ b/libavformat/mpc8.c @@ -143,6 +143,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off) av_log(s, AV_LOG_ERROR, "No seek table at given position\n"); return; } + if (size < 0 || size >= INT_MAX / 2) { + av_log(s, AV_LOG_ERROR, "Bad seek table size\n"); + return; + } if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE))) return; avio_read(s->pb, buf, size); |