Commit af89c144 authored by Michael Niedermayer's avatar Michael Niedermayer

Merge commit '0b66fb45'

* commit '0b66fb45':
  flac_picture: prevent a possible out of bound write

This is only partly merged, the condition this checks for
is impossible to be true as it would imply avio_read() to
read more than the size passed to it

See: 731f7eaaMerged-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parents d6095662 0b66fb45
...@@ -33,8 +33,9 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size) ...@@ -33,8 +33,9 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
uint8_t mimetype[64], *desc = NULL; uint8_t mimetype[64], *desc = NULL;
AVIOContext *pb = NULL; AVIOContext *pb = NULL;
AVStream *st; AVStream *st;
int type, width, height; int width, height, ret = 0;
int len, ret = 0; int len;
unsigned int type;
pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL); pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL);
if (!pb) if (!pb)
...@@ -42,7 +43,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size) ...@@ -42,7 +43,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* read the picture type */ /* read the picture type */
type = avio_rb32(pb); type = avio_rb32(pb);
if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types) || type < 0) { if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) {
av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type); av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type);
if (s->error_recognition & AV_EF_EXPLODE) { if (s->error_recognition & AV_EF_EXPLODE) {
RETURN_ERROR(AVERROR_INVALIDDATA); RETURN_ERROR(AVERROR_INVALIDDATA);
...@@ -52,7 +53,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size) ...@@ -52,7 +53,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size)
/* picture mimetype */ /* picture mimetype */
len = avio_rb32(pb); len = avio_rb32(pb);
if (len <= 0 || if (len <= 0 || len >= 64 ||
avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) { avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) {
av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached " av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached "
"picture.\n"); "picture.\n");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment