highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avformat/asfdec_o: Check size_bmp more fully

Browse Source 
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869)
Signed-off-by: James Almer <jamrial@gmail.com>
This commit is contained in:
Michael Niedermayer 2018-07-03 21:01:23 +02:00 committed by James Almer
parent 32e8eed1ae
commit 67149cb2f6
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/asfdec_o.c
View File

@ -704,7 +704,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag);
size_bmp = FFMAX(size_asf, size_bmp);
if (size_bmp > BMP_HEADER_SIZE) {
if (size_bmp > BMP_HEADER_SIZE &&
size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
int ret;
st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE;
if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +