The size variable is (correctly) unsigned, but is passed to several functions
which take signed parameters, such as avio_read, sometimes after having
numbers added to it. This patch prevents unwanted implementation-defined
behaviour, while retaining the idea behind the original bounds check.
---
libavformat/apetag.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavformat/apetag.c b/libavformat/apetag.c
index 22884ef..bd8d0ed 100644
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@@ -57,8 +57,10 @@ static int ape_tag_read_field(AVFormatContext *s)
av_log(s, AV_LOG_WARNING, "Invalid APE tag key '%s'.\n", key);
return -1;
}
- if (size >= UINT_MAX)
- return -1;
+ if (size > INT32_MAX - FF_INPUT_BUFFER_PADDING_SIZE) {
+ av_log(s, AV_LOG_ERROR, "APE tag size too large.\n");
+ return AVERROR_INVALIDDATA;
+ }
if (flags & APE_TAG_FLAG_IS_BINARY) {
uint8_t filename[1024];
enum AVCodecID id;
--
1.9.1
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
