rtp: Fix integer underflow that could allow remote code execution.

Fixes MSVR-11-0088 Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit ba9a7e0d71bd34f8b89ae99322b62a310be163a6)
author: Michael Niedermayer <michaelni@gmx.at> 2011-09-07 14:12:42 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2011-09-07 15:11:55 +0200
commit: f601bf4004ae1e13bbd805a98f95822a3def4c38 (patch)
tree: adfca7e18d3e829c701e306f8f3c40e46df1957c
parent: 78fb7355c84ea5796ecdd0266a436e8111f085ce (diff)
download: ffmpeg-f601bf4004ae1e13bbd805a98f95822a3def4c38.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index 4f776453d7..384aeb24f3 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -235,6 +235,8 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
                 int prev_len = out_len;
                 out_len += cur_len;
                 asf->buf = av_realloc(asf->buf, out_len);
+                if(!asf->buf || FFMIN(cur_len, len - off)<0)
+                    return -1;
                 memcpy(asf->buf + prev_len, buf + off,
                        FFMIN(cur_len, len - off));
                 avio_skip(pb, cur_len);
author	Michael Niedermayer <michaelni@gmx.at>	2011-09-07 14:12:42 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2011-09-07 15:11:55 +0200
commit	f601bf4004ae1e13bbd805a98f95822a3def4c38 (patch)
tree	adfca7e18d3e829c701e306f8f3c40e46df1957c
parent	78fb7355c84ea5796ecdd0266a436e8111f085ce (diff)
download	ffmpeg-f601bf4004ae1e13bbd805a98f95822a3def4c38.tar.gz