highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

check fragment offset and size

Browse Source 
yes this too could have been exploitable ...

Originally committed as revision 7650 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Michael Niedermayer 2007-01-22 16:37:45 +00:00
parent ae60a85780
commit 4c71d72701
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavformat/asf.c
View File

@ -703,6 +703,14 @@ static int asf_read_packet(AVFormatContext *s, AVPacket *pkt)
asf->packet_size_left -= asf->packet_frag_size; asf->packet_size_left -= asf->packet_frag_size;
if (asf->packet_size_left < 0) if (asf->packet_size_left < 0)
continue; continue;
if( asf->packet_frag_offset >= asf_st->pkt.size
|| asf->packet_frag_size > asf_st->pkt.size - asf->packet_frag_offset){
av_log(s, AV_LOG_ERROR, "packet fragment position invalid %u,%u not in %u\n",
asf->packet_frag_offset, asf->packet_frag_size, asf_st->pkt.size);
continue;
}
get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset, get_buffer(pb, asf_st->pkt.data + asf->packet_frag_offset,
asf->packet_frag_size); asf->packet_frag_size);
asf_st->frag_offset += asf->packet_frag_size; asf_st->frag_offset += asf->packet_frag_size;

4
libavformat/asf.h
View File

@ -106,8 +106,8 @@ typedef struct {
int packet_replic_size; int packet_replic_size;
int packet_key_frame; int packet_key_frame;
int packet_padsize; int packet_padsize;
int packet_frag_offset; unsigned int packet_frag_offset;
int packet_frag_size; unsigned int packet_frag_size;
int packet_frag_timestamp; int packet_frag_timestamp;
int packet_multi_size; int packet_multi_size;
int packet_obj_size; int packet_obj_size;