rtpdec_asf: Fix integer underflow that could allow remote code execution

Fixes MSVR-11-0088. Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Martin Storsjö <martin@martin.st>

rtpdec_asf: Fix integer underflow that could allow remote code execution
Fixes MSVR-11-0088. Credit: Jeong Wook Oh of Microsoft and Microsoft Vulnerability Research (MSVR) Signed-off-by: Michael Niedermayer <michaelni@gmx.at> Signed-off-by: Martin Storsjö <martin@martin.st>
5ea091fb · Michael Niedermayer · Martin Storsjö · 0ca36b4d · 5ea091fb
Commit 5ea091fb authored Sep 07, 2011 by Michael Niedermayer Committed by Martin Storsjö Sep 07, 2011
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 1 deletion

rtpdec_asf.c libavformat/rtpdec_asf.c +7 -1

No files found.
--- a/libavformat/rtpdec_asf.c
+++ b/libavformat/rtpdec_asf.c
@@ -233,8 +233,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,

                int cur_len = start_off + len_off - off;
                int prev_len = out_len;
+                void *newmem;
                out_len += cur_len;
-                asf->buf = av_realloc(asf->buf, out_len);
+                if (FFMIN(cur_len, len - off) < 0)
+                    return -1;
+                newmem = av_realloc(asf->buf, out_len);
+                if (!newmem)
+                    return -1;
+                asf->buf = newmem;
                memcpy(asf->buf + prev_len, buf + off,
                       FFMIN(cur_len, len - off));
                avio_skip(pb, cur_len);