From 72ec043af4510723c53c729a67be482a14b7c7f3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Mar 2012 14:53:09 -0400 Subject: oma: Fix out of array read. Input: 01-Untitled-partial.oma ZZUF params: zzuf[s=7157,r=0.001] Fixes Bugzilla #106 Bug-found-by: darkshikari Signed-off-by: Michael Niedermayer Signed-off-by: Ronald S. Bultje --- libavformat/omadec.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'libavformat/omadec.c') diff --git a/libavformat/omadec.c b/libavformat/omadec.c index 810e970c11..022942d242 100644 --- a/libavformat/omadec.c +++ b/libavformat/omadec.c @@ -140,7 +140,7 @@ static int rprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *r_val) return memcmp(&enc_header[pos], oc->sm_val, 8) ? -1 : 0; } -static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val) +static int nprobe(AVFormatContext *s, uint8_t *enc_header, int size, const uint8_t *n_val) { OMAContext *oc = s->priv_data; uint32_t pos, taglen, datalen; @@ -159,6 +159,9 @@ static int nprobe(AVFormatContext *s, uint8_t *enc_header, const uint8_t *n_val) taglen = AV_RB32(&enc_header[pos+32]); datalen = AV_RB32(&enc_header[pos+36]) >> 4; + if(taglen + (((uint64_t)datalen)<<4) + 44 > size) + return -1; + pos += 44 + taglen; av_des_init(&av_des, n_val, 192, 1); @@ -229,14 +232,14 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header) } if (!memcmp(oc->r_val, (const uint8_t[8]){0}, 8) || rprobe(s, gdata, oc->r_val) < 0 && - nprobe(s, gdata, oc->n_val) < 0) { + nprobe(s, gdata, geob->datasize, oc->n_val) < 0) { int i; for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) { uint8_t buf[16]; AV_WL64(buf, leaf_table[i]); AV_WL64(&buf[8], leaf_table[i+1]); kset(s, buf, buf, 16); - if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, oc->n_val)) + if (!rprobe(s, gdata, oc->r_val) || !nprobe(s, gdata, geob->datasize, oc->n_val)) break; } if (i >= sizeof(leaf_table)) { -- cgit v1.2.3