[05/10] mpc8: Check the seek table size parsed from the bitstream

Message ID 1378932481-98398-5-git-send-email-martin@martin.st
State Committed
Headers show

Commit Message

Martin Storsjö Sept. 11, 2013, 8:47 p.m.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavformat/mpc8.c |    4 ++++
 1 file changed, 4 insertions(+)

Comments

Luca Barbato Sept. 11, 2013, 9:03 p.m. | #1
On 11/09/13 22:47, Martin Storsjö wrote:
> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: libav-stable@libav.org
> ---
>  libavformat/mpc8.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
> index c3c70e0..21b8403 100644
> --- a/libavformat/mpc8.c
> +++ b/libavformat/mpc8.c
> @@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
>          av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
>          return;
>      }
> +    if (size < 0 || size >= INT_MAX/2) {
                                     ^^^ spaces
> +        av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
> +        return;
> +    }
>      if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
>          return;
>      avio_read(s->pb, buf, size);
>
Martin Storsjö Sept. 11, 2013, 9:13 p.m. | #2
On Wed, 11 Sep 2013, Luca Barbato wrote:

> On 11/09/13 22:47, Martin Storsjö wrote:
>> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
>> CC: libav-stable@libav.org
>> ---
>>  libavformat/mpc8.c |    4 ++++
>>  1 file changed, 4 insertions(+)
>> 
>> diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
>> index c3c70e0..21b8403 100644
>> --- a/libavformat/mpc8.c
>> +++ b/libavformat/mpc8.c
>> @@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
>>          av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
>>          return;
>>      }
>> +    if (size < 0 || size >= INT_MAX/2) {
>                                     ^^^ spaces
>> +        av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
>> +        return;
>> +    }
>>      if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
>>          return;
>>      avio_read(s->pb, buf, size);
>>

Amended locally - ok with that change?

// Martin
Luca Barbato Sept. 11, 2013, 9:15 p.m. | #3
On 11/09/13 23:13, Martin Storsjö wrote:
> On Wed, 11 Sep 2013, Luca Barbato wrote:
> 
>> On 11/09/13 22:47, Martin Storsjö wrote:
>>> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
>>> CC: libav-stable@libav.org
>>> ---
>>>  libavformat/mpc8.c |    4 ++++
>>>  1 file changed, 4 insertions(+)
>>>
>>> diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
>>> index c3c70e0..21b8403 100644
>>> --- a/libavformat/mpc8.c
>>> +++ b/libavformat/mpc8.c
>>> @@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext
>>> *s, int64_t off)
>>>          av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
>>>          return;
>>>      }
>>> +    if (size < 0 || size >= INT_MAX/2) {
>>                                     ^^^ spaces
>>> +        av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
>>> +        return;
>>> +    }
>>>      if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
>>>          return;
>>>      avio_read(s->pb, buf, size);
>>>
> 
> Amended locally - ok with that change?
> 

Looks fine even if I'd like to know why the INT_MAX / 2 limit.

lu

Patch

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index c3c70e0..21b8403 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -145,6 +145,10 @@  static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
         av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
         return;
     }
+    if (size < 0 || size >= INT_MAX/2) {
+        av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
+        return;
+    }
     if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
         return;
     avio_read(s->pb, buf, size);