avformat/icodec: Fix crash probing fuzzed file

Avoid invalid memory read/crash when frame offset >= 0xfffffff8. Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w== (The previous commit verifies that p->buf_size >= 22.) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 56e2cd9c042e05255aa28487694c29aaec023263) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Mark Harris <mark.hsj@gmail.com> 2016-02-15 23:52:13 -0800
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-27 00:38:58 +0100
commit: 9375a7d85e8bc78dbb5cc101c37ff7c51f7d9b24 (patch)
tree: 00106d00b0bb08548ec0018b7bd5a3fec6bb17a6
parent: e8ab2bd2ac85ad0b1013f247d35032b7cd7f771e (diff)
download: ffmpeg-9375a7d85e8bc78dbb5cc101c37ff7c51f7d9b24.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/icodec.c b/libavformat/icodec.c
index 20721d5ff5..bd83ef4c95 100644
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -60,7 +60,7 @@ static int probe(AVProbeData *p)
         offset = AV_RL32(p->buf + 18 + i * 16);
         if (offset < 22)
             return FFMIN(i, AVPROBE_SCORE_MAX / 4);
-        if (offset + 8 > p->buf_size)
+        if (offset > p->buf_size - 8)
             return AVPROBE_SCORE_MAX / 4 + FFMIN(i, 1);
         if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
             return FFMIN(i, AVPROBE_SCORE_MAX / 4);
author	Mark Harris <mark.hsj@gmail.com>	2016-02-15 23:52:13 -0800
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:38:58 +0100
commit	9375a7d85e8bc78dbb5cc101c37ff7c51f7d9b24 (patch)
tree	00106d00b0bb08548ec0018b7bd5a3fec6bb17a6
parent	e8ab2bd2ac85ad0b1013f247d35032b7cd7f771e (diff)
download	ffmpeg-9375a7d85e8bc78dbb5cc101c37ff7c51f7d9b24.tar.gz