diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2013-06-05 18:56:28 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-06-12 14:45:46 +0200 |
| commit | 42d73f7f6bea0ee0f64a3ad4882860ce5b923a11 (patch) | |
| tree | 048655259f43beff6deb7701164f3cabe1c9a559 | |
| parent | e7a44f87d07655ec0cd31c315936931674434340 (diff) | |
| download | ffmpeg-42d73f7f6bea0ee0f64a3ad4882860ce5b923a11.tar.gz | |
4xm: do not overread while parsing header
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
| -rw-r--r-- | libavformat/4xm.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 1270fa332b..614b1d5f2a 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p) } static int parse_vtrk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; /* check that there is enough data */ - if (size != vtrk_SIZE) { + if (size != vtrk_SIZE || left < size + 8) { return AVERROR_INVALIDDATA; } @@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s, static int parse_strk(AVFormatContext *s, - FourxmDemuxContext *fourxm, uint8_t *buf, int size) + FourxmDemuxContext *fourxm, uint8_t *buf, int size, + int left) { AVStream *st; int track; /* check that there is enough data */ - if (size != strk_SIZE) + if (size != strk_SIZE || left < size + 8) return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); @@ -217,14 +219,20 @@ static int fourxm_read_header(AVFormatContext *s) size = AV_RL32(&header[i + 4]); if (fourcc_tag == std__TAG) { + if (header_size - i < 16) { + ret = AVERROR_INVALIDDATA; + goto fail; + } fourxm->fps = av_int2float(AV_RL32(&header[i + 12])); } else if (fourcc_tag == vtrk_TAG) { - if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_vtrk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; } else if (fourcc_tag == strk_TAG) { - if ((ret = parse_strk(s, fourxm, header + i, size)) < 0) + if ((ret = parse_strk(s, fourxm, header + i, size, + header_size - i)) < 0) goto fail; i += 8 + size; |