Browse code
avcodec/avpacket: Fix off by 5 error
Fixes out of array read
Fixes: mozilla bug 1266129
Found-by: Tyson Smith
Tested-by: Tyson Smith
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9f36ea57ae6eefb42432220feab0350494f4144c)
Conflicts:
libavcodec/avpacket.c
Michael Niedermayer authored on 2016/04/21 05:38:26Showing 1 changed files
| ... | ... |
@@ -411,10 +411,12 @@ int av_packet_split_side_data(AVPacket *pkt){
|
| 411 | 411 |
p = pkt->data + pkt->size - 8 - 5; |
| 412 | 412 |
for (i=1; ; i++){
|
| 413 | 413 |
size = AV_RB32(p); |
| 414 |
- if (size>INT_MAX || p - pkt->data < size) |
|
| 414 |
+ if (size>INT_MAX - 5 || p - pkt->data < size) |
|
| 415 | 415 |
return 0; |
| 416 | 416 |
if (p[4]&128) |
| 417 | 417 |
break; |
| 418 |
+ if (p - pkt->data < size + 5) |
|
| 419 |
+ return 0; |
|
| 418 | 420 |
p-= size+5; |
| 419 | 421 |
} |
| 420 | 422 |
|
| ... | ... |
@@ -425,7 +427,7 @@ int av_packet_split_side_data(AVPacket *pkt){
|
| 425 | 425 |
p= pkt->data + pkt->size - 8 - 5; |
| 426 | 426 |
for (i=0; ; i++){
|
| 427 | 427 |
size= AV_RB32(p); |
| 428 |
- av_assert0(size<=INT_MAX && p - pkt->data >= size); |
|
| 428 |
+ av_assert0(size<=INT_MAX - 5 && p - pkt->data >= size); |
|
| 429 | 429 |
pkt->side_data[i].data = av_mallocz(size + FF_INPUT_BUFFER_PADDING_SIZE); |
| 430 | 430 |
pkt->side_data[i].size = size; |
| 431 | 431 |
pkt->side_data[i].type = p[4]&127; |