The branch, master has been updated
via 55e71768cf7d9cb395187be0cf38e97b9c454ea1 (commit)
from 8d65da767b2b727a80672969f3120286ee478290 (commit)
- Log -----------------------------------------------------------------
commit 55e71768cf7d9cb395187be0cf38e97b9c454ea1
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Sep 20 01:25:51 2025 +0200
Commit: michaelni <[email protected]>
CommitDate: Sun Sep 21 00:49:44 2025 +0000
avformat/dhav: Fix off by length of read element error
Fixes: out of array read
Fixes: BIGSLEEP-445383648
Fixes: crash_input_1/2/3.dhav
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/dhav.c b/libavformat/dhav.c
index 21c9c530d6..b3fa612ab3 100644
--- a/libavformat/dhav.c
+++ b/libavformat/dhav.c
@@ -251,7 +251,7 @@ static int64_t get_duration(AVFormatContext *s)
unsigned date;
int64_t size = avio_size(s->pb);
- if (start_pos + 16 > size)
+ if (start_pos + 20 > size)
return 0;
avio_skip(s->pb, 16);
@@ -279,7 +279,7 @@ static int64_t get_duration(AVFormatContext *s)
}
}
- if (pos < buffer_pos || pos + 16 > buffer_pos + buffer_size)
+ if (pos < buffer_pos || pos + 20 > buffer_pos + buffer_size)
goto fail;
date = AV_RL32(buffer + (pos - buffer_pos) + 16);
-----------------------------------------------------------------------
Summary of changes:
libavformat/dhav.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
