ffmpeg | branch: release/2.8 | 孙浩(晓黑) <tony...@alibaba-inc.com> | Tue Aug 29 23:59:21 2017 +0200| [5b3986023bbf3a8beb36d30ae580132b8bd66670] | committer: Michael Niedermayer
avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" <wangchu....@alibaba-inc.com> Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5b3986023bbf3a8beb36d30ae580132b8bd66670 --- libavformat/nsvdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index de55396508..c6c3592345 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;i<table_entries_used;i++) + for(i=0;i<table_entries_used;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; nsv->nsvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog