diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2005-01-12 00:16:25 +0000 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2005-01-12 00:16:25 +0000 |
| commit | 0ecca7a49f8e254c12a3a1de048d738bfbb614c6 (patch) | |
| tree | 816c7073739d918ca579171204e6d3caf9977da5 /libavformat | |
| parent | f14d4e7e21c48967c1a877fa9c4eb9943d2c30f5 (diff) | |
various security fixes and precautionary checks
Originally committed as revision 3822 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat')
| -rw-r--r-- | libavformat/4xm.c | 2 | ||||
| -rw-r--r-- | libavformat/asf.c | 2 | ||||
| -rw-r--r-- | libavformat/aviobuf.c | 3 | ||||
| -rw-r--r-- | libavformat/flic.c | 2 | ||||
| -rw-r--r-- | libavformat/idroq.c | 2 | ||||
| -rw-r--r-- | libavformat/segafilm.c | 2 | ||||
| -rw-r--r-- | libavformat/utils.c | 2 | ||||
| -rw-r--r-- | libavformat/wc3movie.c | 10 |
8 files changed, 17 insertions, 8 deletions
diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 39e1e87061..73d6377245 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -279,7 +279,7 @@ static int fourxm_read_packet(AVFormatContext *s, /* allocate 8 more bytes than 'size' to account for fourcc * and size */ - if (av_new_packet(pkt, size + 8)) + if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR_IO; pkt->stream_index = fourxm->video_stream_index; pkt->pts = fourxm->video_pts; diff --git a/libavformat/asf.c b/libavformat/asf.c index cde3054592..8450b53f94 100644 --- a/libavformat/asf.c +++ b/libavformat/asf.c @@ -333,7 +333,7 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap) { value = (char *)av_mallocz(value_len); get_str16_nolen(pb, value_len, value, value_len); - if (strcmp(name,"WM/AlbumTitle")==0) { strcpy(s->album, value); } + if (strcmp(name,"WM/AlbumTitle")==0) { pstrcpy(s->album, sizeof(s->album), value); } av_free(value); } if ((value_type >= 2) || (value_type <= 5)) // boolean or DWORD or QWORD or WORD diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index bb55254532..7db4f15515 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -350,6 +350,9 @@ int get_buffer(ByteIOContext *s, unsigned char *buf, int size) int get_partial_buffer(ByteIOContext *s, unsigned char *buf, int size) { int len; + + if(size<0) + return -1; len = s->buf_end - s->buf_ptr; if (len == 0) { diff --git a/libavformat/flic.c b/libavformat/flic.c index 65b7b9f92a..7fc3b9a33f 100644 --- a/libavformat/flic.c +++ b/libavformat/flic.c @@ -171,7 +171,7 @@ static int flic_read_packet(AVFormatContext *s, size = LE_32(&preamble[0]); magic = LE_16(&preamble[4]); - if ((magic == FLIC_CHUNK_MAGIC_1) || (magic == FLIC_CHUNK_MAGIC_2)) { + if (((magic == FLIC_CHUNK_MAGIC_1) || (magic == FLIC_CHUNK_MAGIC_2)) && size > FLIC_PREAMBLE_SIZE) { if (av_new_packet(pkt, size)) { ret = AVERROR_IO; break; diff --git a/libavformat/idroq.c b/libavformat/idroq.c index 5380f81213..13553ed847 100644 --- a/libavformat/idroq.c +++ b/libavformat/idroq.c @@ -196,6 +196,8 @@ static int roq_read_packet(AVFormatContext *s, chunk_type = LE_16(&preamble[0]); chunk_size = LE_32(&preamble[2]); + if(chunk_size > INT_MAX) + return AVERROR_INVALIDDATA; switch (chunk_type) { diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c index 3f752a1d9b..d984a3b10b 100644 --- a/libavformat/segafilm.c +++ b/libavformat/segafilm.c @@ -231,6 +231,8 @@ static int film_read_packet(AVFormatContext *s, (film->video_type == CODEC_ID_CINEPAK)) { if (av_new_packet(pkt, sample->sample_size - film->cvid_extra_bytes)) return AVERROR_NOMEM; + if(pkt->size < 10) + return -1; ret = get_buffer(pb, pkt->data, 10); /* skip the non-spec CVID bytes */ url_fseek(pb, film->cvid_extra_bytes, SEEK_CUR); diff --git a/libavformat/utils.c b/libavformat/utils.c index 8366b35c38..44f5e76c11 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -57,7 +57,7 @@ int match_ext(const char *filename, const char *extensions) p = extensions; for(;;) { q = ext1; - while (*p != '\0' && *p != ',') + while (*p != '\0' && *p != ',' && q-ext1<sizeof(ext1)-1) *q++ = *p++; *q = '\0'; if (!strcasecmp(ext1, ext)) diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c index b5f5c35adf..6f9fedd3db 100644 --- a/libavformat/wc3movie.c +++ b/libavformat/wc3movie.c @@ -169,14 +169,16 @@ static int wc3_read_header(AVFormatContext *s, if ((ret = get_buffer(pb, preamble, 4)) != 4) return AVERROR_IO; wc3->palette_count = LE_32(&preamble[0]); - if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE) + if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE){ + wc3->palette_count= 0; return -1; + } wc3->palettes = av_malloc(wc3->palette_count * PALETTE_SIZE); break; case BNAM_TAG: /* load up the name */ - if (size < 512) + if ((unsigned)size < 512) bytes_to_read = size; else bytes_to_read = 512; @@ -195,7 +197,7 @@ static int wc3_read_header(AVFormatContext *s, case PALT_TAG: /* one of several palettes */ - if (current_palette >= wc3->palette_count) + if ((unsigned)current_palette >= wc3->palette_count) return AVERROR_INVALIDDATA; if ((ret = get_buffer(pb, &wc3->palettes[current_palette * PALETTE_SIZE], @@ -331,7 +333,7 @@ static int wc3_read_packet(AVFormatContext *s, #if 0 url_fseek(pb, size, SEEK_CUR); #else - if ((ret = get_buffer(pb, text, size)) != size) + if ((unsigned)size > sizeof(text) || (ret = get_buffer(pb, text, size)) != size) ret = AVERROR_IO; else { int i = 0; |