[FFmpeg-devel] [PATCH] nutdec: reject negative sm_size

Andreas Cadhalpun Fri, 18 Dec 2015 08:22:53 -0800

If it is negative, it makes size larger than the size of the packet
buffer, causing invalid writes in avio_read.


Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
 libavformat/nutdec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 286d1ee..47ae7a7 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1146,6 +1146,11 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, 
int frame_code)
             goto fail;
         }
         sm_size = avio_tell(bc) - pkt->pos;
+        if (sm_size < 0) {
+            av_log(nut->avf, AV_LOG_ERROR, "negative sm_size %d\n", sm_size);
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
         size      -= sm_size;
         pkt->size -= sm_size;
     }
-- 
2.6.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

[FFmpeg-devel] [PATCH] nutdec: reject negative sm_size

Reply via email to