[FFmpeg-devel,1/6] avformat/mms: Add missing chunksize check

Submitted by Michael Niedermayer on July 3, 2018, 9:05 p.m.

Details

Message ID 20180703210530.7493-1-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer July 3, 2018, 9:05 p.m.
Fixes: out of array read
Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/mms.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Michael Niedermayer July 6, 2018, 9:24 a.m.
On Tue, Jul 03, 2018 at 11:05:25PM +0200, Michael Niedermayer wrote:
> Fixes: out of array read
> Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a
> 
> Found-by: Paul Ch <paulcher@icloud.com>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/mms.c | 6 ++++++
>  1 file changed, 6 insertions(+)

will apply with an additional check


[...]

Patch hide | download patch | download mbox

diff --git a/libavformat/mms.c b/libavformat/mms.c
index 17fa76a8d4..036046dc37 100644
--- a/libavformat/mms.c
+++ b/libavformat/mms.c
@@ -143,6 +143,12 @@  int ff_mms_asf_header_parser(MMSContext *mms)
             }
         } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
             chunksize = 46; // see references [2] section 3.4. This should be set 46.
+            if (chunksize > end - p) {
+                av_log(NULL, AV_LOG_ERROR,
+                    "Corrupt stream (header chunksize %"PRId64" is invalid)\n",
+                    chunksize);
+                return AVERROR_INVALIDDATA;
+            }
         }
         p += chunksize;
     }