Skip to content

Commit f173cdf

Browse files
孙浩(晓黑)michaelni
孙浩(晓黑)
authored andcommitted
avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com> Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 900f396) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent 4fedc4c commit f173cdf

File tree

1 file changed

+4
-0
lines changed

1 file changed

+4
-0
lines changed

Diff for: libavformat/mxfdec.c

+4
Original file line numberDiff line numberDiff line change
@@ -762,13 +762,17 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
762762
segment->nb_index_entries = avio_rb32(pb);
763763

764764
length = avio_rb32(pb);
765+
if(segment->nb_index_entries && length < 11)
766+
return AVERROR_INVALIDDATA;
765767

766768
if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) ||
767769
!(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
768770
!(segment->stream_offset_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->stream_offset_entries))))
769771
return AVERROR(ENOMEM);
770772

771773
for (i = 0; i < segment->nb_index_entries; i++) {
774+
if(avio_feof(pb))
775+
return AVERROR_INVALIDDATA;
772776
segment->temporal_offset_entries[i] = avio_r8(pb);
773777
avio_r8(pb); /* KeyFrameOffset */
774778
segment->flag_entries[i] = avio_r8(pb);

0 commit comments

Comments
 (0)