On Mon, Feb 15, 2016 at 09:57:51AM -0800, Mark Harris wrote: > Avoid invalid memory read/crash when ico offset >= 0xfffffff8. > Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w== > --- > libavformat/icodec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/icodec.c b/libavformat/icodec.c > index 6ddb901..8f84337 100644 > --- a/libavformat/icodec.c > +++ b/libavformat/icodec.c > @@ -60,7 +60,7 @@ static int probe(AVProbeData *p) > offset = AV_RL32(p->buf + 18 + i * 16); > if (offset < 22) > return FFMIN(i, AVPROBE_SCORE_MAX / 4); > - if (offset + 8 > p->buf_size) > + if (offset > p->buf_size - 8)
buf_size - 8 can underflow or more precissely is not guranteed to be representable as unsigned while the compare is using unsigned [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If a bugfix only changes things apparently unrelated to the bug with no further explanation, that is a good sign that the bugfix is wrong.
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
