diff options
| author | 孙浩 and 张洪亮(望初) <tony.sh and wangchu.zhl@alibaba-inc.com> | 2017-08-25 01:15:29 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-09-10 01:33:28 +0200 |
| commit | 8cb0f2c4e55d1d8ba9dbc80dd19ad139d0200c2d (patch) | |
| tree | 94be8188b8694bb45c1d711031e6335768759b6b | |
| parent | 6bd562e04440c48eb79e24c36800791bbb1ba0b6 (diff) | |
| download | ffmpeg-8cb0f2c4e55d1d8ba9dbc80dd19ad139d0200c2d.tar.gz | |
avformat/rl2: Fix DoS due to lack of eof check
Fixes: loop.rl2
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavformat/rl2.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 0bec8f1d9a..eb1682dfcb 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;i<frame_count;i++){ |