wtv: Add more sanity checks for a length read from the file

Also make sure the existing length check can't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>

wtv: Add more sanity checks for a length read from the file
Also make sure the existing length check can't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
83c285f8 · Martin Storsjö · d8b68660 · 83c285f8
Commit 83c285f8 authored Sep 19, 2013 by Martin Storsjö
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

wtv.c libavformat/wtv.c +6 -1

No files found.
--- a/libavformat/wtv.c
+++ b/libavformat/wtv.c
@@ -269,7 +269,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
        dir_length  = AV_RL16(buf + 16);
        file_length = AV_RL64(buf + 24);
        name_size   = 2 * AV_RL32(buf + 32);
-        if (buf + 48 + name_size > buf_end) {
+        if (name_size < 0) {
+            av_log(s, AV_LOG_ERROR,
+                   "bad filename length, remaining directory entries ignored\n");
+            break;
+        }
+        if (48 + name_size > buf_end - buf) {
            av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
            break;
        }