On Mon, Feb 15, 2016 at 11:02 AM, Michael Niedermayer <mich...@niedermayer.cc> wrote: > On Mon, Feb 15, 2016 at 09:57:51AM -0800, Mark Harris wrote: >> Avoid invalid memory read/crash when ico offset >= 0xfffffff8. >> Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w== >> --- >> libavformat/icodec.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/libavformat/icodec.c b/libavformat/icodec.c >> index 6ddb901..8f84337 100644 >> --- a/libavformat/icodec.c >> +++ b/libavformat/icodec.c >> @@ -60,7 +60,7 @@ static int probe(AVProbeData *p) >> offset = AV_RL32(p->buf + 18 + i * 16); >> if (offset < 22) >> return FFMIN(i, AVPROBE_SCORE_MAX / 4); >> - if (offset + 8 > p->buf_size) >> + if (offset > p->buf_size - 8) > > buf_size - 8 can underflow or more precissely is not guranteed to be > representable as unsigned while the compare is using unsigned >
If p->buf_size was less than 8, would it not have returned before this? AV_RL32(p->buf + 14) would be 0 and offset = AV_RL32(p->buf + 18) would be 0, due to the zero padding of the probe buffer. - Mark _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
