Mercurial > libavformat.hg
diff nut.c @ 639:0b52743104ac libavformat
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
| author | michael |
|---|---|
| date | Sat, 08 Jan 2005 14:21:33 +0000 |
| parents | fe24632a577b |
| children | b47948262721 |
line wrap: on
line diff
--- a/nut.c Thu Jan 06 00:54:03 2005 +0000 +++ b/nut.c Sat Jan 08 14:21:33 2005 +0000 @@ -82,7 +82,7 @@ int written_packet_size; int64_t packet_start[3]; //0-> startcode less, 1-> short startcode 2-> long startcodes FrameCode frame_code[256]; - int stream_count; + unsigned int stream_count; uint64_t next_startcode; ///< stores the next startcode if it has alraedy been parsed but the stream isnt seekable StreamContext *stream; int max_distance; @@ -255,8 +255,8 @@ return -1; } -static int get_str(ByteIOContext *bc, char *string, int maxlen){ - int len= get_v(bc); +static int get_str(ByteIOContext *bc, char *string, unsigned int maxlen){ + unsigned int len= get_v(bc); if(len && maxlen) get_buffer(bc, string, FFMIN(len, maxlen)); @@ -283,7 +283,7 @@ static uint64_t get_vb(ByteIOContext *bc){ uint64_t val=0; - int i= get_v(bc); + unsigned int i= get_v(bc); if(i>8) return UINT64_MAX; @@ -877,6 +877,10 @@ } nut->stream_count = get_v(bc); + if(nut->stream_count > MAX_STREAMS){ + av_log(s, AV_LOG_ERROR, "too many streams\n"); + return -1; + } nut->max_distance = get_v(bc); nut->max_short_distance = get_v(bc); nut->rate_num= get_v(bc); @@ -982,6 +986,8 @@ /* codec specific data headers */ while(get_v(bc) != 0){ st->codec.extradata_size= get_v(bc); + if((unsigned)st->codec.extradata_size > (1<<30)) + return -1; st->codec.extradata= av_mallocz(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); get_buffer(bc, st->codec.extradata, st->codec.extradata_size); // url_fskip(bc, get_v(bc));