diff options
| author | Michael Niedermayer <[email protected]> | 2025-09-20 01:25:51 +0200 |
|---|---|---|
| committer | michaelni <[email protected]> | 2025-09-21 00:49:44 +0000 |
| commit | 55e71768cf7d9cb395187be0cf38e97b9c454ea1 (patch) | |
| tree | ec1e1187c63f5aeba478d2c6f01d7d924b57f84b | |
| parent | 8d65da767b2b727a80672969f3120286ee478290 (diff) | |
avformat/dhav: Fix off by length of read element error
Fixes: out of array read
Fixes: BIGSLEEP-445383648
Fixes: crash_input_1/2/3.dhav
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
| -rw-r--r-- | libavformat/dhav.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavformat/dhav.c b/libavformat/dhav.c index 21c9c530d6..b3fa612ab3 100644 --- a/libavformat/dhav.c +++ b/libavformat/dhav.c @@ -251,7 +251,7 @@ static int64_t get_duration(AVFormatContext *s) unsigned date; int64_t size = avio_size(s->pb); - if (start_pos + 16 > size) + if (start_pos + 20 > size) return 0; avio_skip(s->pb, 16); @@ -279,7 +279,7 @@ static int64_t get_duration(AVFormatContext *s) } } - if (pos < buffer_pos || pos + 16 > buffer_pos + buffer_size) + if (pos < buffer_pos || pos + 20 > buffer_pos + buffer_size) goto fail; date = AV_RL32(buffer + (pos - buffer_pos) + 16); |