aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorVittorio Giovara <vittorio.giovara@gmail.com>2014-10-20 14:11:21 +0100
committerVittorio Giovara <vittorio.giovara@gmail.com>2014-10-24 23:42:53 +0100
commit0b66fb4505e0bb43de3797f63f3290f0188d67cc (patch)
treee74ce34200681399f20c373e3d8fe1ddd72b3b96 /libavformat
parentf1ed83e23add1c26c50b146727e4c2399dfc0b3a (diff)
downloadffmpeg-0b66fb4505e0bb43de3797f63f3290f0188d67cc.tar.gz
flac_picture: prevent a possible out of bound write
At "mimetype[len] = 0;" mimetype is a 64 element array and len might be equal to or greater than that. CC: libav-stable@libav.org Bug-Id: CID 1061055
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/flac_picture.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/libavformat/flac_picture.c b/libavformat/flac_picture.c
index 69d27244ff..a6b55379f8 100644
--- a/libavformat/flac_picture.c
+++ b/libavformat/flac_picture.c
@@ -31,8 +31,8 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
uint8_t mimetype[64], *desc = NULL;
AVIOContext *pb = NULL;
AVStream *st;
- int type, width, height;
- int len, ret = 0;
+ int width, height, ret = 0;
+ unsigned int type, len;
pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL);
if (!pb)
@@ -40,7 +40,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* read the picture type */
type = avio_rb32(pb);
- if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types) || type < 0) {
+ if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
if (s->error_recognition & AV_EF_EXPLODE) {
ret = AVERROR_INVALIDDATA;
@@ -51,7 +51,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* picture mimetype */
len = avio_rb32(pb);
- if (len <= 0 ||
+ if (!len || len >= 64 ||
avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) {
av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
"picture.\n");
@@ -100,7 +100,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* picture data */
len = avio_rb32(pb);
- if (len <= 0) {
+ if (!len) {
av_log(s, AV_LOG_ERROR, "Invalid attached picture size: %d.\n", len);
if (s->error_recognition & AV_EF_EXPLODE)
ret = AVERROR_INVALIDDATA;