Skip to content
Permalink
Browse files Browse the repository at this point in the history
avformat/rl2: Fix DoS due to lack of eof check
Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
孙浩 and 张洪亮(望初) authored and michaelni committed Aug 27, 2017
1 parent 124eb20 commit 96f24d1
Showing 1 changed file with 12 additions and 3 deletions.
15 changes: 12 additions & 3 deletions libavformat/rl2.c
Expand Up @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
}

/** read offset and size tables */
for(i=0; i < frame_count;i++)
for(i=0; i < frame_count;i++) {
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
chunk_size[i] = avio_rl32(pb);
for(i=0; i < frame_count;i++)
}
for(i=0; i < frame_count;i++) {
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
chunk_offset[i] = avio_rl32(pb);
for(i=0; i < frame_count;i++)
}
for(i=0; i < frame_count;i++) {
if (avio_feof(pb))
return AVERROR_INVALIDDATA;
audio_size[i] = avio_rl32(pb) & 0xFFFF;
}

/** build the sample index */
for(i=0;i<frame_count;i++){
Expand Down

1 comment on commit 96f24d1

@shqking
Copy link

@shqking shqking commented on 96f24d1 Sep 1, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.