blob: ee02037948823e881a331bd89ab729a2bd2c710b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From 9cb4eb772839c5e1de2855d126bf74ff16d13382 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 5 Sep 2017 00:16:29 +0200
Subject: [PATCH] avformat/mov: Fix DoS in read_tfra()
Fixes: Missing EOF check in loop
No testcase
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
CVE: CVE-2017-14222
Upstream-Status: Backport
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
libavformat/mov.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 994e9c6..2519707 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6094,6 +6094,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
}
for (i = 0; i < index->item_count; i++) {
int64_t time, offset;
+
+ if (avio_feof(f)) {
+ index->item_count = 0;
+ av_freep(&index->items);
+ return AVERROR_INVALIDDATA;
+ }
+
if (version == 1) {
time = avio_rb64(f);
offset = avio_rb64(f);
--
2.1.0
|
