Mercurial > libavformat.hg
changeset 643:253b5292946a libavformat
various security fixes and precautionary checks
| author | michael |
|---|---|
| date | Wed, 12 Jan 2005 00:16:25 +0000 |
| parents | 868c41d335aa |
| children | 1bbcf7b444ae |
| files | 4xm.c asf.c aviobuf.c flic.c idroq.c segafilm.c utils.c wc3movie.c |
| diffstat | 8 files changed, 17 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/4xm.c Tue Jan 11 08:16:04 2005 +0000 +++ b/4xm.c Wed Jan 12 00:16:25 2005 +0000 @@ -279,7 +279,7 @@ /* allocate 8 more bytes than 'size' to account for fourcc * and size */ - if (av_new_packet(pkt, size + 8)) + if (size + 8 < size || av_new_packet(pkt, size + 8)) return AVERROR_IO; pkt->stream_index = fourxm->video_stream_index; pkt->pts = fourxm->video_pts;
--- a/asf.c Tue Jan 11 08:16:04 2005 +0000 +++ b/asf.c Wed Jan 12 00:16:25 2005 +0000 @@ -333,7 +333,7 @@ { value = (char *)av_mallocz(value_len); get_str16_nolen(pb, value_len, value, value_len); - if (strcmp(name,"WM/AlbumTitle")==0) { strcpy(s->album, value); } + if (strcmp(name,"WM/AlbumTitle")==0) { pstrcpy(s->album, sizeof(s->album), value); } av_free(value); } if ((value_type >= 2) || (value_type <= 5)) // boolean or DWORD or QWORD or WORD
--- a/aviobuf.c Tue Jan 11 08:16:04 2005 +0000 +++ b/aviobuf.c Wed Jan 12 00:16:25 2005 +0000 @@ -350,6 +350,9 @@ int get_partial_buffer(ByteIOContext *s, unsigned char *buf, int size) { int len; + + if(size<0) + return -1; len = s->buf_end - s->buf_ptr; if (len == 0) {
--- a/flic.c Tue Jan 11 08:16:04 2005 +0000 +++ b/flic.c Wed Jan 12 00:16:25 2005 +0000 @@ -171,7 +171,7 @@ size = LE_32(&preamble[0]); magic = LE_16(&preamble[4]); - if ((magic == FLIC_CHUNK_MAGIC_1) || (magic == FLIC_CHUNK_MAGIC_2)) { + if (((magic == FLIC_CHUNK_MAGIC_1) || (magic == FLIC_CHUNK_MAGIC_2)) && size > FLIC_PREAMBLE_SIZE) { if (av_new_packet(pkt, size)) { ret = AVERROR_IO; break;
--- a/idroq.c Tue Jan 11 08:16:04 2005 +0000 +++ b/idroq.c Wed Jan 12 00:16:25 2005 +0000 @@ -196,6 +196,8 @@ chunk_type = LE_16(&preamble[0]); chunk_size = LE_32(&preamble[2]); + if(chunk_size > INT_MAX) + return AVERROR_INVALIDDATA; switch (chunk_type) {
--- a/segafilm.c Tue Jan 11 08:16:04 2005 +0000 +++ b/segafilm.c Wed Jan 12 00:16:25 2005 +0000 @@ -231,6 +231,8 @@ (film->video_type == CODEC_ID_CINEPAK)) { if (av_new_packet(pkt, sample->sample_size - film->cvid_extra_bytes)) return AVERROR_NOMEM; + if(pkt->size < 10) + return -1; ret = get_buffer(pb, pkt->data, 10); /* skip the non-spec CVID bytes */ url_fseek(pb, film->cvid_extra_bytes, SEEK_CUR);
--- a/utils.c Tue Jan 11 08:16:04 2005 +0000 +++ b/utils.c Wed Jan 12 00:16:25 2005 +0000 @@ -57,7 +57,7 @@ p = extensions; for(;;) { q = ext1; - while (*p != '\0' && *p != ',') + while (*p != '\0' && *p != ',' && q-ext1<sizeof(ext1)-1) *q++ = *p++; *q = '\0'; if (!strcasecmp(ext1, ext))
--- a/wc3movie.c Tue Jan 11 08:16:04 2005 +0000 +++ b/wc3movie.c Wed Jan 12 00:16:25 2005 +0000 @@ -169,14 +169,16 @@ if ((ret = get_buffer(pb, preamble, 4)) != 4) return AVERROR_IO; wc3->palette_count = LE_32(&preamble[0]); - if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE) + if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE){ + wc3->palette_count= 0; return -1; + } wc3->palettes = av_malloc(wc3->palette_count * PALETTE_SIZE); break; case BNAM_TAG: /* load up the name */ - if (size < 512) + if ((unsigned)size < 512) bytes_to_read = size; else bytes_to_read = 512; @@ -195,7 +197,7 @@ case PALT_TAG: /* one of several palettes */ - if (current_palette >= wc3->palette_count) + if ((unsigned)current_palette >= wc3->palette_count) return AVERROR_INVALIDDATA; if ((ret = get_buffer(pb, &wc3->palettes[current_palette * PALETTE_SIZE], @@ -331,7 +333,7 @@ #if 0 url_fseek(pb, size, SEEK_CUR); #else - if ((ret = get_buffer(pb, text, size)) != size) + if ((unsigned)size > sizeof(text) || (ret = get_buffer(pb, text, size)) != size) ret = AVERROR_IO; else { int i = 0;