diff options
author | Chris Evans <cevans@chromium.org> | 2011-07-19 17:51:48 -0700 |
---|---|---|
committer | Ronald S. Bultje <rsbultje@gmail.com> | 2011-07-19 18:06:06 -0700 |
commit | 69619a13c3fef940cba545cf0a283ff22771dd71 (patch) | |
tree | 00e7b98b3028a7c9300ef609cdcc91e07b331e30 | |
parent | 953302656aaaeb1bc737b59fae2d5a11b75d9f7d (diff) | |
download | ffmpeg-69619a13c3fef940cba545cf0a283ff22771dd71.tar.gz |
matroskadec: fix integer underflow if header length < probe length.
This fixes a crash with specifically crafted files.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
-rw-r--r-- | libavformat/matroskadec.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 852760cc4d..037997742c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -903,6 +903,8 @@ static int matroska_probe(AVProbeData *p) * Not fully fool-proof, but good enough. */ for (i = 0; i < FF_ARRAY_ELEMS(matroska_doctypes); i++) { int probelen = strlen(matroska_doctypes[i]); + if (total < probelen) + continue; for (n = 4+size; n <= 4+size+total-probelen; n++) if (!memcmp(p->buf+n, matroska_doctypes[i], probelen)) return AVPROBE_SCORE_MAX; |