[libav-stable] 4xm: do not overread while parsing header

Luca Barbato git at libav.org
Wed Jun 12 15:11:17 CEST 2013


Module: libav
Branch: master
Commit: 42d73f7f6bea0ee0f64a3ad4882860ce5b923a11

Author:    Luca Barbato <lu_zero at gentoo.org>
Committer: Luca Barbato <lu_zero at gentoo.org>
Date:      Wed Jun  5 18:56:28 2013 +0200

4xm: do not overread while parsing header

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org

---

 libavformat/4xm.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 1270fa3..614b1d5 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -90,11 +90,12 @@ static int fourxm_probe(AVProbeData *p)
 }
 
 static int parse_vtrk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
     AVStream *st;
     /* check that there is enough data */
-    if (size != vtrk_SIZE) {
+    if (size != vtrk_SIZE || left < size + 8) {
         return AVERROR_INVALIDDATA;
     }
 
@@ -120,12 +121,13 @@ static int parse_vtrk(AVFormatContext *s,
 
 
 static int parse_strk(AVFormatContext *s,
-                      FourxmDemuxContext *fourxm, uint8_t *buf, int size)
+                      FourxmDemuxContext *fourxm, uint8_t *buf, int size,
+                      int left)
 {
     AVStream *st;
     int track;
     /* check that there is enough data */
-    if (size != strk_SIZE)
+    if (size != strk_SIZE || left < size + 8)
         return AVERROR_INVALIDDATA;
 
     track = AV_RL32(buf + 8);
@@ -217,14 +219,20 @@ static int fourxm_read_header(AVFormatContext *s)
         size       = AV_RL32(&header[i + 4]);
 
         if (fourcc_tag == std__TAG) {
+            if (header_size - i < 16) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
             fourxm->fps = av_int2float(AV_RL32(&header[i + 12]));
         } else if (fourcc_tag == vtrk_TAG) {
-            if ((ret = parse_vtrk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_vtrk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                 goto fail;
 
             i += 8 + size;
         } else if (fourcc_tag == strk_TAG) {
-            if ((ret = parse_strk(s, fourxm, header + i, size)) < 0)
+            if ((ret = parse_strk(s, fourxm, header + i, size,
+                                  header_size - i)) < 0)
                 goto fail;
 
             i += 8 + size;



More information about the libav-stable mailing list