Skip to content
Permalink
Browse files

avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information...
孙浩 and 张洪亮(望初) Michael Niedermayer
孙浩 and 张洪亮(望初) authored and Michael Niedermayer committed Aug 24, 2017
1 parent 124eb20 commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de
Showing with 12 additions and 3 deletions.
  1. +12 −3 libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
}

/** read offset and size tables */
for(i=0; i < frame_count;i++)
for(i=0; i < frame_count;i++) {
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
chunk_size[i] = avio_rl32(pb);
for(i=0; i < frame_count;i++)
}
for(i=0; i < frame_count;i++) {
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
chunk_offset[i] = avio_rl32(pb);
for(i=0; i < frame_count;i++)
}
for(i=0; i < frame_count;i++) {
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
audio_size[i] = avio_rl32(pb) & 0xFFFF;
}

/** build the sample index */
for(i=0;i<frame_count;i++){

1 comment on commit 96f24d1

@shqking

This comment has been minimized.

Copy link

commented on 96f24d1 Sep 1, 2017

Please sign in to comment.
You can’t perform that action at this time.