aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMark Harris <mark.hsj@gmail.com>2016-02-15 23:52:13 -0800
committerMichael Niedermayer <michael@niedermayer.cc>2016-02-20 02:56:25 +0100
commit56e2cd9c042e05255aa28487694c29aaec023263 (patch)
tree4549656eaaac42d72731b80b40f4a68438e9bf6a /libavformat
parent1b4fbf808082eaa6945e5fc2cda487573691e8e6 (diff)
downloadffmpeg-56e2cd9c042e05255aa28487694c29aaec023263.tar.gz
avformat/icodec: Fix crash probing fuzzed file
Avoid invalid memory read/crash when frame offset >= 0xfffffff8. Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w== (The previous commit verifies that p->buf_size >= 22.) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/icodec.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/libavformat/icodec.c b/libavformat/icodec.c
index b247cb2567..17acfb4b2f 100644
--- a/libavformat/icodec.c
+++ b/libavformat/icodec.c
@@ -63,7 +63,7 @@ static int probe(AVProbeData *p)
offset = AV_RL32(p->buf + 18 + i * 16);
if (offset < 22)
return FFMIN(i, AVPROBE_SCORE_MAX / 4);
- if (offset + 8 > p->buf_size)
+ if (offset > p->buf_size - 8)
continue;
if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
return FFMIN(i, AVPROBE_SCORE_MAX / 4);