Message ID | 20180703210530.7493-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
On Tue, Jul 03, 2018 at 11:05:25PM +0200, Michael Niedermayer wrote: > Fixes: out of array read > Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a > > Found-by: Paul Ch <paulcher@icloud.com> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/mms.c | 6 ++++++ > 1 file changed, 6 insertions(+) will apply with an additional check [...]
diff --git a/libavformat/mms.c b/libavformat/mms.c index 17fa76a8d4..036046dc37 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -143,6 +143,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. + if (chunksize > end - p) { + av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (header chunksize %"PRId64" is invalid)\n", + chunksize); + return AVERROR_INVALIDDATA; + } } p += chunksize; }
Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/mms.c | 6 ++++++ 1 file changed, 6 insertions(+)