diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-12-20 18:07:30 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-12-20 23:04:51 +0100 |
| commit | eedd9148733ff4467c62092ad1c1a26d6125b249 (patch) | |
| tree | 755a97e7fa045c5723f76d6be9c5ba5e12a14a60 | |
| parent | 5ec3c7b7c1189dca0ba29edbd33b5dbe68313382 (diff) | |
| download | ffmpeg-eedd9148733ff4467c62092ad1c1a26d6125b249.tar.gz | |
avformat/pva: Make sure the header is large enough before reading the timestamp from it
Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7f34b5dc6d58_2674_PVA_test-partial.pva
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/pva.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libavformat/pva.c b/libavformat/pva.c index 635fb728b3..18ab1cd3fc 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -152,8 +152,14 @@ recover: pvactx->continue_pes = pes_packet_length; - if (pes_flags & 0x80 && (pes_header_data[0] & 0xf0) == 0x20) + if (pes_flags & 0x80 && (pes_header_data[0] & 0xf0) == 0x20) { + if (pes_header_data_length < 5) { + pva_log(s, AV_LOG_ERROR, "header too short\n"); + avio_skip(pb, length); + return AVERROR_INVALIDDATA; + } pva_pts = ff_parse_pes_pts(pes_header_data); + } } pvactx->continue_pes -= length; |