Skip to content
Permalink
Browse files

avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()

Fixes: 20170829A.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information...
孙浩(晓黑) Michael Niedermayer
孙浩(晓黑) authored and Michael Niedermayer committed Aug 29, 2017
1 parent c24bcb5 commit 900f39692ca0337a98a7cf047e4e2611071810c2
Showing with 4 additions and 0 deletions.
  1. +4 −0 libavformat/mxfdec.c
@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
segment->nb_index_entries = avio_rb32(pb);

length = avio_rb32(pb);
if(segment->nb_index_entries && length < 11)
return AVERROR_INVALIDDATA;

if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
!(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
}

for (i = 0; i < segment->nb_index_entries; i++) {
if(avio_feof(pb))
return AVERROR_INVALIDDATA;
segment->temporal_offset_entries[i] = avio_r8(pb);
avio_r8(pb); /* KeyFrameOffset */
segment->flag_entries[i] = avio_r8(pb);

1 comment on commit 900f396

@shqking

This comment has been minimized.

Copy link

commented on 900f396 Sep 7, 2017

This is CVE-2017-14170.

Please sign in to comment.
You can’t perform that action at this time.