Message ID | 20200407110334.3213-1-michael@niedermayer.cc |
---|---|
State | Accepted |
Commit | daa2482871dffa9af12fa6d874a3d2dedd73f42e |
Headers | show |
Series | [FFmpeg-devel] avformat/aadec: Check toc_size to contain the minimum to demuxer uses | expand |
Context | Check | Description |
---|---|---|
andriy/ffmpeg-patchwork | success | Make fate finished |
On Tue, Apr 07, 2020 at 01:03:34PM +0200, Michael Niedermayer wrote: > Fixes: out of array access > Fixes: stack-buffer-overflow-READ-0x0831fff1 > > Found-by: GalyCannon <galycannon@gmail.com> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavformat/aadec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) will apply [...]
diff --git a/libavformat/aadec.c b/libavformat/aadec.c index b9dd51ebfc..63f8176a57 100644 --- a/libavformat/aadec.c +++ b/libavformat/aadec.c @@ -92,7 +92,7 @@ static int aa_read_header(AVFormatContext *s) avio_skip(pb, 4); // magic string toc_size = avio_rb32(pb); // TOC size avio_skip(pb, 4); // unidentified integer - if (toc_size > MAX_TOC_ENTRIES) + if (toc_size > MAX_TOC_ENTRIES || toc_size < 2) return AVERROR_INVALIDDATA; for (i = 0; i < toc_size; i++) { // read TOC avio_skip(pb, 4); // TOC entry index
Fixes: out of array access Fixes: stack-buffer-overflow-READ-0x0831fff1 Found-by: GalyCannon <galycannon@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavformat/aadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)