diff mbox series

[FFmpeg-devel] avformat/aadec: Check toc_size to contain the minimum to demuxer uses

Message ID 20200407110334.3213-1-michael@niedermayer.cc
State Accepted
Commit daa2482871dffa9af12fa6d874a3d2dedd73f42e
Headers show
Series [FFmpeg-devel] avformat/aadec: Check toc_size to contain the minimum to demuxer uses | expand

Checks

Context Check Description
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer April 7, 2020, 11:03 a.m. UTC 
Fixes: out of array access
Fixes: stack-buffer-overflow-READ-0x0831fff1

Found-by: GalyCannon <galycannon@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavformat/aadec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer May 21, 2020, 10:17 a.m. UTC | #1 
On Tue, Apr 07, 2020 at 01:03:34PM +0200, Michael Niedermayer wrote:
> Fixes: out of array access
> Fixes: stack-buffer-overflow-READ-0x0831fff1
> 
> Found-by: GalyCannon <galycannon@gmail.com>
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavformat/aadec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavformat/aadec.c b/libavformat/aadec.c
index b9dd51ebfc..63f8176a57 100644
--- a/libavformat/aadec.c
+++ b/libavformat/aadec.c
@@ -92,7 +92,7 @@  static int aa_read_header(AVFormatContext *s)
     avio_skip(pb, 4); // magic string
     toc_size = avio_rb32(pb); // TOC size
     avio_skip(pb, 4); // unidentified integer
-    if (toc_size > MAX_TOC_ENTRIES)
+    if (toc_size > MAX_TOC_ENTRIES || toc_size < 2)
         return AVERROR_INVALIDDATA;
     for (i = 0; i < toc_size; i++) { // read TOC
         avio_skip(pb, 4); // TOC entry index