Commit 5ea091fb authored by Michael Niedermayer's avatar Michael Niedermayer Committed by Martin Storsjö

rtpdec_asf: Fix integer underflow that could allow remote code execution

Fixes MSVR-11-0088.
Credit:  Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR)
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
Signed-off-by: 's avatarMartin Storsjö <martin@martin.st>
parent 0ca36b4d
...@@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf, ...@@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
int cur_len = start_off + len_off - off; int cur_len = start_off + len_off - off;
int prev_len = out_len; int prev_len = out_len;
void *newmem;
out_len += cur_len; out_len += cur_len;
asf->buf = av_realloc(asf->buf, out_len); if (FFMIN(cur_len, len - off) < 0)
return -1;
newmem = av_realloc(asf->buf, out_len);
if (!newmem)
return -1;
asf->buf = newmem;
memcpy(asf->buf + prev_len, buf + off, memcpy(asf->buf + prev_len, buf + off,
FFMIN(cur_len, len - off)); FFMIN(cur_len, len - off));
avio_skip(pb, cur_len); avio_skip(pb, cur_len);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment