Skip to content

Commit

Permalink
avformat/asfdec_o: Check size_bmp more fully
Browse files Browse the repository at this point in the history 
Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
@michaelni
michaelni committed Jul 5, 2018
1 parent bab0716 commit 2b46ebd
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion libavformat/asfdec_o.c
View file
Expand Up @@ -706,7 +706,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag);
size_bmp = FFMAX(size_asf, size_bmp);

if (size_bmp > BMP_HEADER_SIZE) {
if (size_bmp > BMP_HEADER_SIZE &&
size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
int ret;
st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE;
if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +
Expand Down

2 comments on commit 2b46ebd

@tolstikhell
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2b46ebd0

@wqazzz
Copy link

@wqazzz wqazzz commented on 2b46ebd May 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is CVE-2018-1999011

Please sign in to comment.