Commit ce10f572 authored by Andreas Cadhalpun's avatar Andreas Cadhalpun

nutdec: reject negative value_len in read_sm_data

If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.

Also fix potential overflow of avio_tell(bc) + value_len.
Reviewed-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
Signed-off-by: 's avatarAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
parent 9d38f06d
...@@ -934,7 +934,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int ...@@ -934,7 +934,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
return ret; return ret;
} }
value_len = ffio_read_varlen(bc); value_len = ffio_read_varlen(bc);
if (avio_tell(bc) + value_len >= maxpos) if (value_len < 0 || value_len >= maxpos - avio_tell(bc))
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
if (!strcmp(name, "Palette")) { if (!strcmp(name, "Palette")) {
dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment