Fixes out of array read
Fixes: mozilla bug 1266129
Found-by: Tyson Smith
Tested-by: Tyson Smith
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9f36ea57ae6eefb42432220feab0350494f4144c)
Conflicts:
libavcodec/avpacket.c
... | ... |
@@ -411,10 +411,12 @@ int av_packet_split_side_data(AVPacket *pkt){ |
411 | 411 |
p = pkt->data + pkt->size - 8 - 5; |
412 | 412 |
for (i=1; ; i++){ |
413 | 413 |
size = AV_RB32(p); |
414 |
- if (size>INT_MAX || p - pkt->data < size) |
|
414 |
+ if (size>INT_MAX - 5 || p - pkt->data < size) |
|
415 | 415 |
return 0; |
416 | 416 |
if (p[4]&128) |
417 | 417 |
break; |
418 |
+ if (p - pkt->data < size + 5) |
|
419 |
+ return 0; |
|
418 | 420 |
p-= size+5; |
419 | 421 |
} |
420 | 422 |
|
... | ... |
@@ -425,7 +427,7 @@ int av_packet_split_side_data(AVPacket *pkt){ |
425 | 425 |
p= pkt->data + pkt->size - 8 - 5; |
426 | 426 |
for (i=0; ; i++){ |
427 | 427 |
size= AV_RB32(p); |
428 |
- av_assert0(size<=INT_MAX && p - pkt->data >= size); |
|
428 |
+ av_assert0(size<=INT_MAX - 5 && p - pkt->data >= size); |
|
429 | 429 |
pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); |
430 | 430 |
pkt->side_data[i].size = size; |
431 | 431 |
pkt->side_data[i].type = p[4]&127; |