Message ID | fae6bdf8-f7d3-5144-9906-9c5257f42850@googlemail.com |
---|---|
State | Accepted |
Commit | 367cac7827870054ae3bd6d4517e7b13f4f3f72c |
Headers | show |
On 01/01/2017 08:27 PM, Andreas Cadhalpun wrote: > This fixes heap-buffer-overflows in libopenmpt caused by interpreting > the negative size value as unsigned size_t. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavformat/libopenmpt.c | 5 +++++ > 1 file changed, 5 insertions(+) Looks fine to me. Regards, Jörn
On 01/09/2017 08:20 PM, Jörn Heusipp wrote: > On 01/01/2017 08:27 PM, Andreas Cadhalpun wrote: >> This fixes heap-buffer-overflows in libopenmpt caused by interpreting >> the negative size value as unsigned size_t. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavformat/libopenmpt.c | 5 +++++ >> 1 file changed, 5 insertions(+) > > Looks fine to me. Is there any reason this patch has not been committed yet? Also needs to be applied to the release/3.2 branch. Regards, Jörn
On Sun, Jan 15, 2017 at 12:55:46PM +0100, Jörn Heusipp wrote: > > On 01/09/2017 08:20 PM, Jörn Heusipp wrote: > >On 01/01/2017 08:27 PM, Andreas Cadhalpun wrote: > >>This fixes heap-buffer-overflows in libopenmpt caused by interpreting > >>the negative size value as unsigned size_t. > >> > >>Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > >>--- > >> libavformat/libopenmpt.c | 5 +++++ > >> 1 file changed, 5 insertions(+) > > > >Looks fine to me. > > Is there any reason this patch has not been committed yet? i cant see one, thus applied thx > Also needs to be applied to the release/3.2 branch. > > Regards, > Jörn > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c index e7091ef9fc..35fd28f5f4 100644 --- a/libavformat/libopenmpt.c +++ b/libavformat/libopenmpt.c @@ -82,6 +82,11 @@ static int read_header_openmpt(AVFormatContext *s) if (!buf) return AVERROR(ENOMEM); size = avio_read(s->pb, buf, size); + if (size < 0) { + av_log(s, AV_LOG_ERROR, "Reading input buffer failed.\n"); + av_freep(&buf); + return size; + } openmpt->module = openmpt_module_create_from_memory(buf, size, openmpt_logfunc, s, NULL); av_freep(&buf);
This fixes heap-buffer-overflows in libopenmpt caused by interpreting the negative size value as unsigned size_t. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavformat/libopenmpt.c | 5 +++++ 1 file changed, 5 insertions(+)