diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2011-09-07 14:12:42 +0200 |
---|---|---|
committer | Martin Storsjö <martin@martin.st> | 2011-09-07 23:33:53 +0300 |
commit | 5ea091fb5a12dc0210b8efdf30b573b87e21652b (patch) | |
tree | 2df6201097f89765182942e0b46b7b73d979ffaa /libavformat | |
parent | 0ca36b4de76e10578e23199c2932682c0f510e31 (diff) | |
download | ffmpeg-5ea091fb5a12dc0210b8efdf30b573b87e21652b.tar.gz |
rtpdec_asf: Fix integer underflow that could allow remote code execution
Fixes MSVR-11-0088.
Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
Diffstat (limited to 'libavformat')
-rw-r--r-- | libavformat/rtpdec_asf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c index 287025f377..9d8c87b889 100644 --- a/libavformat/rtpdec_asf.c +++ b/libavformat/rtpdec_asf.c @@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, int cur_len = start_off + len_off - off; int prev_len = out_len; + void *newmem; out_len += cur_len; - asf->buf = av_realloc(asf->buf, out_len); + if (FFMIN(cur_len, len - off) < 0) + return -1; + newmem = av_realloc(asf->buf, out_len); + if (!newmem) + return -1; + asf->buf = newmem; memcpy(asf->buf + prev_len, buf + off, FFMIN(cur_len, len - off)); avio_skip(pb, cur_len); |