Browse code
rtpdec_asf: Fix integer underflow that could allow remote code execution
Fixes MSVR-11-0088.
Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Martin Storsjö <martin@martin.st>
Michael Niedermayer authored on 2011/09/07 21:12:42Showing 1 changed files
| ... | ... |
@@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, |
| 233 | 233 |
|
| 234 | 234 |
int cur_len = start_off + len_off - off; |
| 235 | 235 |
int prev_len = out_len; |
| 236 |
+ void *newmem; |
|
| 236 | 237 |
out_len += cur_len; |
| 237 |
- asf->buf = av_realloc(asf->buf, out_len); |
|
| 238 |
+ if (FFMIN(cur_len, len - off) < 0) |
|
| 239 |
+ return -1; |
|
| 240 |
+ newmem = av_realloc(asf->buf, out_len); |
|
| 241 |
+ if (!newmem) |
|
| 242 |
+ return -1; |
|
| 243 |
+ asf->buf = newmem; |
|
| 238 | 244 |
memcpy(asf->buf + prev_len, buf + off, |
| 239 | 245 |
FFMIN(cur_len, len - off)); |
| 240 | 246 |
avio_skip(pb, cur_len); |