sön 2018-05-27 klockan 21:21 +0200 skrev Marton Balint:
> > Signed-off-by: Marton Balint <c...@passwd.hu>
> ---
> libavformat/mxfdec.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
> index 7a42555562..40c9e0c3a9 100644
> --- a/libavformat/mxfdec.c
> +++ b/libavformat/mxfdec.c
> @@ -372,6 +372,8 @@ static int64_t klv_decode_ber_length(AVIOContext *pb)
> while (bytes_num--)
> size = size << 8 | avio_r8(pb);
> }
> + if (size > INT64_MAX)
> + return AVERROR_INVALIDDATA;
> return size;
> }
>
> @@ -390,13 +392,17 @@ static int mxf_read_sync(AVIOContext *pb, const uint8_t
> *key, unsigned size)
>
> static int klv_read_packet(KLVPacket *klv, AVIOContext *pb)
> {
> + int64_t length;
> if (!mxf_read_sync(pb, mxf_klv_key, 4))
> return AVERROR_INVALIDDATA;
> klv->offset = avio_tell(pb) - 4;
> memcpy(klv->key, mxf_klv_key, 4);
> avio_read(pb, klv->key + 4, 12);
> - klv->length = klv_decode_ber_length(pb);
> - return klv->length == -1 ? -1 : 0;
> + length = klv_decode_ber_length(pb);
> + if (length < 0)
> + return length;
> + klv->length = length;
> + return 0;
> }
This feels like the kind of thing that should have been caught ages
ago. Are there any other -1's like this hiding in mxfdec? I took a
quick look but didn't find much
/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
