diff mbox

[FFmpeg-devel,3/6] avformat/asfdec_o: Check size_bmp more fully

Message ID 20180703210530.7493-3-michael@niedermayer.cc
State Accepted
Commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869
Headers show

Commit Message

Michael Niedermayer July 3, 2018, 9:05 p.m. UTC 
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/asfdec_o.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer July 5, 2018, 12:02 p.m. UTC | #1 
On Tue, Jul 03, 2018 at 11:05:27PM +0200, Michael Niedermayer wrote:
> Fixes: integer overflow and out of array access
> Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7
> 
> Found-by: Paul Ch <paulcher@icloud.com>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/asfdec_o.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

will apply

[...]
diff mbox

Patch

diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 5122e33c78..b4b2698368 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -706,7 +706,8 @@  static int parse_video_info(AVIOContext *pb, AVStream *st)
     st->codecpar->codec_id  = ff_codec_get_id(ff_codec_bmp_tags, tag);
     size_bmp = FFMAX(size_asf, size_bmp);
 
-    if (size_bmp > BMP_HEADER_SIZE) {
+    if (size_bmp > BMP_HEADER_SIZE &&
+        size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
         int ret;
         st->codecpar->extradata_size  = size_bmp - BMP_HEADER_SIZE;
         if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +