blob: 088b357b254d3cf777fdd0b18efeba66591e107b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E6=B5=A9=20and=20=E5=BC=A0=E6=B4=AA=E4=BA=AE=28?=
=?UTF-8?q?=E6=9C=9B=E5=88=9D=29?= <tony.sh and wangchu.zhl@alibaba-inc.com>
Date: Fri, 25 Aug 2017 01:15:29 +0200
Subject: [PATCH] avformat/rl2: Fix DoS due to lack of eof check
Fixes: loop.rl2
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2017-14056
Upstream-Status: Backport
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
libavformat/rl2.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 0bec8f1..eb1682d 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
}
/** read offset and size tables */
- for(i=0; i < frame_count;i++)
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
chunk_size[i] = avio_rl32(pb);
- for(i=0; i < frame_count;i++)
+ }
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
chunk_offset[i] = avio_rl32(pb);
- for(i=0; i < frame_count;i++)
+ }
+ for(i=0; i < frame_count;i++) {
+ if (avio_feof(pb))
+ return AVERROR_INVALIDDATA;
audio_size[i] = avio_rl32(pb) & 0xFFFF;
+ }
/** build the sample index */
for(i=0;i<frame_count;i++){
--
2.1.0
|
