[vlc-commits] avi: Fix integer overflow

Tue, 15 Dec 2020 03:52:44 -0800 

vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <[email protected]> | Mon Nov 
 9 09:54:27 2020 +0100| [56cbe9c4b59edbdc5e1bb2687992f3bbf492eccb] | committer: 
Hugo Beauzée-Luyssen

avi: Fix integer overflow

Which would in turn cause a size verification failure, leading to a
buffer overflow
Reported by: Zhen Zhou, NSFOCUS Security Team

(cherry picked from commit a4b1de184faf86617b4432954c1984e0027fb246)
Signed-off-by: Hugo Beauzée-Luyssen <[email protected]>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=56cbe9c4b59edbdc5e1bb2687992f3bbf492eccb
---

 modules/demux/avi/avi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index 9ca8043472..7868a0f90e 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -3078,7 +3078,7 @@ static void AVI_ExtractSubtitle( demux_t *p_demux,
     if( i_size < 6 || GetWLE( &p[0] ) != 0x04 )
         goto exit;
     const unsigned i_payload = GetDWLE( &p[2] );
-    if( i_size < 6 + i_payload || i_payload <= 0 )
+    if( i_size - 6 < i_payload || i_payload == 0 )
         goto exit;
     p += 6;
     i_size -= 6;

_______________________________________________
vlc-commits mailing list
[email protected]
https://mailman.videolan.org/listinfo/vlc-commits

Reply via email to