diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2005-01-08 14:21:33 +0000 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2005-01-08 14:21:33 +0000 |
| commit | 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch) | |
| tree | 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/nut.c | |
| parent | 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff) | |
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/nut.c')
| -rw-r--r-- | libavformat/nut.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/libavformat/nut.c b/libavformat/nut.c index 67b317ed69..010e09c3bf 100644 --- a/libavformat/nut.c +++ b/libavformat/nut.c @@ -82,7 +82,7 @@ typedef struct { int written_packet_size; int64_t packet_start[3]; //0-> startcode less, 1-> short startcode 2-> long startcodes FrameCode frame_code[256]; - int stream_count; + unsigned int stream_count; uint64_t next_startcode; ///< stores the next startcode if it has alraedy been parsed but the stream isnt seekable StreamContext *stream; int max_distance; @@ -255,8 +255,8 @@ static uint64_t get_v(ByteIOContext *bc) return -1; } -static int get_str(ByteIOContext *bc, char *string, int maxlen){ - int len= get_v(bc); +static int get_str(ByteIOContext *bc, char *string, unsigned int maxlen){ + unsigned int len= get_v(bc); if(len && maxlen) get_buffer(bc, string, FFMIN(len, maxlen)); @@ -283,7 +283,7 @@ static int64_t get_s(ByteIOContext *bc){ static uint64_t get_vb(ByteIOContext *bc){ uint64_t val=0; - int i= get_v(bc); + unsigned int i= get_v(bc); if(i>8) return UINT64_MAX; @@ -877,6 +877,10 @@ static int decode_main_header(NUTContext *nut){ } nut->stream_count = get_v(bc); + if(nut->stream_count > MAX_STREAMS){ + av_log(s, AV_LOG_ERROR, "too many streams\n"); + return -1; + } nut->max_distance = get_v(bc); nut->max_short_distance = get_v(bc); nut->rate_num= get_v(bc); @@ -982,6 +986,8 @@ static int decode_stream_header(NUTContext *nut){ /* codec specific data headers */ while(get_v(bc) != 0){ st->codec.extradata_size= get_v(bc); + if((unsigned)st->codec.extradata_size > (1<<30)) + return -1; st->codec.extradata= av_mallocz(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); get_buffer(bc, st->codec.extradata, st->codec.extradata_size); // url_fskip(bc, get_v(bc)); |