Re: [libav-devel] [PATCH 07/10] flac_picture: prevent a possible out of bound write

Sat, 18 Oct 2014 23:35:46 -0700 

Quoting Vittorio Giovara (2014-10-18 17:58:46)
> CC: [email protected]
> Bug-Id: CID 1061055
> ---
>  libavformat/flac_picture.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/libavformat/flac_picture.c b/libavformat/flac_picture.c
> index 69d2724..a6b5537 100644
> --- a/libavformat/flac_picture.c
> +++ b/libavformat/flac_picture.c
> @@ -31,8 +31,8 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, 
> int buf_size)
>      uint8_t mimetype[64], *desc = NULL;
>      AVIOContext *pb = NULL;
>      AVStream *st;
> -    int type, width, height;
> -    int len, ret = 0;
> +    int width, height, ret = 0;
> +    unsigned int type, len;
>  
>      pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL);
>      if (!pb)
> @@ -40,7 +40,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, 
> int buf_size)
>  
>      /* read the picture type */
>      type = avio_rb32(pb);
> -    if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types) || type < 0) {
> +    if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
>          av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
>          if (s->error_recognition & AV_EF_EXPLODE) {
>              ret = AVERROR_INVALIDDATA;
> @@ -51,7 +51,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, 
> int buf_size)
>  
>      /* picture mimetype */
>      len = avio_rb32(pb);
> -    if (len <= 0 ||
> +    if (!len || len >= 64 ||
>          avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) {
>          av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
>                 "picture.\n");
> @@ -100,7 +100,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t 
> *buf, int buf_size)
>  
>      /* picture data */
>      len = avio_rb32(pb);
> -    if (len <= 0) {
> +    if (!len) {
>          av_log(s, AV_LOG_ERROR, "Invalid attached picture size: %d.\n", len);
>          if (s->error_recognition & AV_EF_EXPLODE)
>              ret = AVERROR_INVALIDDATA;
> -- 
> 1.9.3 (Apple Git-50)
> 

Where exactly is the write being fixed?

-- 
Anton Khirnov
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to