rtpdec_asf: Fix integer underflow that could allow remote code execution

Fixes MSVR-11-0088. Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Martin Storsjö <martin@martin.st>
author: Michael Niedermayer <michaelni@gmx.at> 2011-09-07 14:12:42 +0200
committer: Martin Storsjö <martin@martin.st> 2011-09-07 23:33:53 +0300
commit: 5ea091fb5a12dc0210b8efdf30b573b87e21652b (patch)
tree: 2df6201097f89765182942e0b46b7b73d979ffaa /libavformat/rtpdec_asf.c
parent: 0ca36b4de76e10578e23199c2932682c0f510e31 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/libavformat/rtpdec_asf.c b/libavformat/rtpdec_asf.c
index 287025f377..9d8c87b889 100644
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
 
                 int cur_len = start_off + len_off - off;
                 int prev_len = out_len;
+                void *newmem;
                 out_len += cur_len;
-                asf->buf = av_realloc(asf->buf, out_len);
+                if (FFMIN(cur_len, len - off) < 0)
+                    return -1;
+                newmem = av_realloc(asf->buf, out_len);
+                if (!newmem)
+                    return -1;
+                asf->buf = newmem;
                 memcpy(asf->buf + prev_len, buf + off,
                        FFMIN(cur_len, len - off));
                 avio_skip(pb, cur_len);
author	Michael Niedermayer <michaelni@gmx.at>	2011-09-07 14:12:42 +0200
committer	Martin Storsjö <martin@martin.st>	2011-09-07 23:33:53 +0300
commit	5ea091fb5a12dc0210b8efdf30b573b87e21652b (patch)
tree	2df6201097f89765182942e0b46b7b73d979ffaa /libavformat/rtpdec_asf.c
parent	0ca36b4de76e10578e23199c2932682c0f510e31 (diff)