vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <[email protected]> | Fri May 17 13:17:41 2019 +0200| [b96e1a6380368240a156d84617c4379df14b0ec1] | committer: Hugo Beauzée-Luyssen
avi: Fix potential integer overflow Leading to an out of bound read https://hackerone.com/reports/501971 https://hackerone.com/reports/484398 (cherry picked from commit 2e7d1075b715e4e7a8772039c9a74b4834e64342) Signed-off-by: Hugo Beauzée-Luyssen <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=b96e1a6380368240a156d84617c4379df14b0ec1 --- modules/demux/avi/avi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c index 3492485a25..fb1c8e728b 100644 --- a/modules/demux/avi/avi.c +++ b/modules/demux/avi/avi.c @@ -944,7 +944,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk, p_frame->i_buffer--; } - if( i_header >= p_frame->i_buffer ) + if( i_header >= p_frame->i_buffer || tk->i_width_bytes > INT32_MAX - 3 ) { p_frame->i_buffer = 0; return p_frame; @@ -954,7 +954,7 @@ static block_t * ReadFrame( demux_t *p_demux, const avi_track_t *tk, p_frame->p_buffer += i_header; p_frame->i_buffer -= i_header; - const unsigned int i_stride_bytes = ((( (tk->i_width_bytes << 3) + 31) & ~31) >> 3); + const unsigned int i_stride_bytes = (tk->i_width_bytes + 3) & ~3; if ( !tk->i_width_bytes || !i_stride_bytes ) return p_frame; _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
