[FFmpeg-devel,2/2,v2] webmdashenc: Validate the 'streams' adaptation sets parameter

Submitted by Derek Buitenhuis on April 20, 2017, 3:17 p.m.

Details

Message ID 1492701464-39027-1-git-send-email-derek.buitenhuis@gmail.com
State New
Headers show

Commit Message

Derek Buitenhuis April 20, 2017, 3:17 p.m.
It should not be a value larger than the number of streams we have,
or it will cause invalid reads and/or SIGSEGV.

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
---
 libavformat/webmdashenc.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer April 20, 2017, 3:46 p.m.
On Thu, Apr 20, 2017 at 04:17:44PM +0100, Derek Buitenhuis wrote:
> It should not be a value larger than the number of streams we have,
> or it will cause invalid reads and/or SIGSEGV.
> 
> Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
> ---
>  libavformat/webmdashenc.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

applied

thx

[...]

Patch hide | download patch | download mbox

diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c
index 2f5c31e..cde36f5 100644
--- a/libavformat/webmdashenc.c
+++ b/libavformat/webmdashenc.c
@@ -467,7 +467,11 @@  static int parse_adaptation_sets(AVFormatContext *s)
             if (as->streams == NULL)
                 return AVERROR(ENOMEM);
             as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1);
-            if (as->streams[as->nb_streams - 1] < 0) return -1;
+            if (as->streams[as->nb_streams - 1] < 0 ||
+                as->streams[as->nb_streams - 1] >= s->nb_streams) {
+                av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n");
+                return AVERROR_INVALIDDATA;
+            }
             if (*q == '\0') break;
             if (*q == ' ') state = new_set;
             p = ++q;