aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2009-01-28 13:37:26 +0000
committerMichael Niedermayer <michaelni@gmx.at>2009-01-28 13:37:26 +0000
commit0838cfdc8a10185604db5cd9d6bffad71279a0e8 (patch)
tree9760b77aa269c434f50a72832db383af949fcc50 /libavformat
parent5a446bc88e49cc6400d0c646ca1eb540a727c9de (diff)
downloadffmpeg-0838cfdc8a10185604db5cd9d6bffad71279a0e8.tar.gz
Fix remotely exploitable arbitrary code execution vulnerability.
Found by Tobias Klein / tk // trapkit / de / See: http://www.trapkit.de/advisories/TKADV2009-004.txt Originally committed as revision 16846 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/4xm.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 513f51845a..74522f8d27 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -166,12 +166,13 @@ static int fourxm_read_header(AVFormatContext *s,
goto fail;
}
current_track = AV_RL32(&header[i + 8]);
+ if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
+ av_log(s, AV_LOG_ERROR, "current_track too large\n");
+ ret= -1;
+ goto fail;
+ }
if (current_track + 1 > fourxm->track_count) {
fourxm->track_count = current_track + 1;
- if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)){
- ret= -1;
- goto fail;
- }
fourxm->tracks = av_realloc(fourxm->tracks,
fourxm->track_count * sizeof(AudioTrack));
if (!fourxm->tracks) {