Re: [FFmpeg-devel] [PATCH] Fix 'while' loop condition to prevent movtext crashes by tracking packet size

Philip Langdale Mon, 18 May 2015 19:38:42 -0700

On Tue, 19 May 2015 03:47:50 +0530
Niklesh Lalwani <niklesh.lalw...@iitb.ac.in> wrote:


> Updated patch.
> 
> -Niklesh

> +        while (tracksize + 8 <= avpkt->size) {
> +            // A box is a minimum of 8 bytes.
> +            tsmb = ptr + tracksize - 2;
>              tsmb_size = AV_RB32(tsmb);
>              tsmb += 4;
>              tsmb_type = AV_RB32(tsmb);
>              tsmb += 4;
>  
> +            if (tracksize + tsmb_size > avpkt->size)
> +                break;
> +
>              if (tsmb_type == MKBETAG('s','t','y','l')) {
> 

You need to make sure you have two more bytes to read here first.

>                  style_entries = AV_RB16(tsmb);
>                  tsmb += 2;
>  
> +                // A single style record is of length 12 bytes.
> +                if (tracksize + 10 + style_entries * 12 >
> avpkt->size)
> +                    break;
> +

Rest looks good. Thanks!

--phil
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Re: [FFmpeg-devel] [PATCH] Fix 'while' loop condition to prevent movtext crashes by tracking packet size

Reply via email to