On 28/07/2012 1:01 PM, Måns Rullgård wrote:
>>> + info_tag = AV_RL32(src);
>>> + if (info_tag == MKTAG('I', 'N', 'F', 'O')) {
>>> + info_offset = AV_RL32(src + 4) + 8;
>
> The value read from the bitstream needs to be validated before adding 8,
> or it could overflow.
Will do.
>>> + src += info_offset;
>>> + av_log(avctx, AV_LOG_DEBUG, "Skipping INFO chunk.\n");
>>> + }
>>> +
>>> + /* bswap16 the buffer since CLLC's bitreader works in 16-bit WORDS */
>>> + ctx->dsp.bswap16_buf((uint16_t *) ctx->swapped_buf, (uint16_t *) src,
>>> + (avpkt->size - info_offset) / 2);
>>
>> Are you sure you don't want to check info_offset to ensure it actually
>> leads to a greater-than-zero result before continuing? I'm pretty sure
>> this can crash on malformed streams.
>
> Yes, more checks are needed.
Will add.
Thanks,
- Derek
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
