generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

integer overflows, heap corruption

Browse Source 
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks

Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Michael Niedermayer
2005-01-08 14:21:33 +00:00
parent 934b0821db
commit 568e18b15e
19 changed files with 108 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libavformat/4xm.c
View File

@@ -185,6 +185,8 @@ static int fourxm_read_header(AVFormatContext *s,
current_track = LE_32(&header[i + 8]); current_track = LE_32(&header[i + 8]);
if (current_track + 1 > fourxm->track_count) { if (current_track + 1 > fourxm->track_count) {
fourxm->track_count = current_track + 1; fourxm->track_count = current_track + 1;
if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack))
return -1;
fourxm->tracks = av_realloc(fourxm->tracks, fourxm->tracks = av_realloc(fourxm->tracks,
fourxm->track_count * sizeof(AudioTrack)); fourxm->track_count * sizeof(AudioTrack));
if (!fourxm->tracks) { if (!fourxm->tracks) {

2
libavformat/allformats.c
View File

@@ -126,7 +126,7 @@ void av_register_all(void)
av_register_image_format(&jpeg_image_format); av_register_image_format(&jpeg_image_format);
#endif #endif
av_register_image_format(&gif_image_format); av_register_image_format(&gif_image_format);
av_register_image_format(&sgi_image_format); // av_register_image_format(&sgi_image_format); heap corruption, dont enable
#endif //CONFIG_ENCODERS #endif //CONFIG_ENCODERS
/* file protocols */ /* file protocols */

2
libavformat/avformat.h
View File

@@ -546,7 +546,7 @@ int fifo_size(FifoBuffer *f, uint8_t *rptr);
int fifo_read(FifoBuffer *f, uint8_t *buf, int buf_size, uint8_t **rptr_ptr); int fifo_read(FifoBuffer *f, uint8_t *buf, int buf_size, uint8_t **rptr_ptr);
void fifo_write(FifoBuffer *f, uint8_t *buf, int size, uint8_t **wptr_ptr); void fifo_write(FifoBuffer *f, uint8_t *buf, int size, uint8_t **wptr_ptr);
int put_fifo(ByteIOContext *pb, FifoBuffer *f, int buf_size, uint8_t **rptr_ptr); int put_fifo(ByteIOContext *pb, FifoBuffer *f, int buf_size, uint8_t **rptr_ptr);
void fifo_realloc(FifoBuffer *f, int size); void fifo_realloc(FifoBuffer *f, unsigned int size);
/* media file input */ /* media file input */
AVInputFormat *av_find_input_format(const char *short_name); AVInputFormat *av_find_input_format(const char *short_name);

4
libavformat/avidec.c
View File

@@ -302,9 +302,11 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
get_le32(pb); /* ClrUsed */ get_le32(pb); /* ClrUsed */
get_le32(pb); /* ClrImportant */ get_le32(pb); /* ClrImportant */
if(size > 10*4 && size<(1<<30)){
st->codec.extradata_size= size - 10*4; st->codec.extradata_size= size - 10*4;
st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
get_buffer(pb, st->codec.extradata, st->codec.extradata_size); get_buffer(pb, st->codec.extradata, st->codec.extradata_size);
}
if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly
get_byte(pb); get_byte(pb);
@@ -549,6 +551,8 @@ static int avi_read_idx1(AVFormatContext *s, int size)
nb_index_entries = size / 16; nb_index_entries = size / 16;
if (nb_index_entries <= 0) if (nb_index_entries <= 0)
return -1; return -1;
if(nb_index_entries + 1 >= UINT_MAX / sizeof(AVIIndexEntry))
return -1;
/* read the entries and sort them in each stream component */ /* read the entries and sort them in each stream component */
for(i = 0; i < nb_index_entries; i++) { for(i = 0; i < nb_index_entries; i++) {

6
libavformat/aviobuf.c
View File

@@ -629,11 +629,13 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size)
/* reallocate buffer if needed */ /* reallocate buffer if needed */
new_size = d->pos + buf_size; new_size = d->pos + buf_size;
new_allocated_size = d->allocated_size; new_allocated_size = d->allocated_size;
if(new_size < d->pos || new_size > INT_MAX/2)
return -1;
while (new_size > new_allocated_size) { while (new_size > new_allocated_size) {
if (!new_allocated_size) if (!new_allocated_size)
new_allocated_size = new_size; new_allocated_size = new_size;
else else
new_allocated_size = (new_allocated_size * 3) / 2 + 1; new_allocated_size += new_allocated_size / 2 + 1;
} }
if (new_allocated_size > d->allocated_size) { if (new_allocated_size > d->allocated_size) {
@@ -691,6 +693,8 @@ static int url_open_dyn_buf_internal(ByteIOContext *s, int max_packet_size)
else else
io_buffer_size = 1024; io_buffer_size = 1024;
if(sizeof(DynBuffer) + io_buffer_size < io_buffer_size)
return -1;
d = av_malloc(sizeof(DynBuffer) + io_buffer_size); d = av_malloc(sizeof(DynBuffer) + io_buffer_size);
if (!d) if (!d)
return -1; return -1;

6
libavformat/gifdec.c
View File

@@ -474,6 +474,12 @@ static int gif_read_header1(GifState *s)
s->transparent_color_index = -1; s->transparent_color_index = -1;
s->screen_width = get_le16(f); s->screen_width = get_le16(f);
s->screen_height = get_le16(f); s->screen_height = get_le16(f);
if( (unsigned)s->screen_width > 32767
|| (unsigned)s->screen_height > 32767){
av_log(NULL, AV_LOG_ERROR, "picture size too large\n");
return -1;
}
v = get_byte(f); v = get_byte(f);
s->color_resolution = ((v & 0x70) >> 4) + 1; s->color_resolution = ((v & 0x70) >> 4) + 1;
has_global_palette = (v & 0x80); has_global_palette = (v & 0x80);

3
libavformat/grab.c
View File

@@ -76,6 +76,9 @@ static int grab_read_header(AVFormatContext *s1, AVFormatParameters *ap)
frame_rate = ap->frame_rate; frame_rate = ap->frame_rate;
frame_rate_base = ap->frame_rate_base; frame_rate_base = ap->frame_rate_base;
if((unsigned)width > 32767 || (unsigned)height > 32767)
return -1;
st = av_new_stream(s1, 0); st = av_new_stream(s1, 0);
if (!st) if (!st)
return -ENOMEM; return -ENOMEM;

10
libavformat/http.c
View File

@@ -290,12 +290,16 @@ URLProtocol http_protocol = {
static char *b64_encode( unsigned char *src ) static char *b64_encode( unsigned char *src )
{ {
static const char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; static const char b64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
unsigned int len= strlen(src);
char *dst = av_malloc( strlen( src ) * 4 / 3 + 12 ); char *ret, *dst;
char *ret = dst;
unsigned i_bits = 0; unsigned i_bits = 0;
unsigned i_shift = 0; unsigned i_shift = 0;
if(len < UINT_MAX/4){
ret=dst= av_malloc( len * 4 / 3 + 12 );
}else
return NULL;
for( ;; ) for( ;; )
{ {
if( *src ) if( *src )

4
libavformat/img.c
View File

@@ -123,7 +123,7 @@ static int img_read_header(AVFormatContext *s1, AVFormatParameters *ap)
if (ap && ap->image_format) if (ap && ap->image_format)
s->img_fmt = ap->image_format; s->img_fmt = ap->image_format;
strcpy(s->path, s1->filename); pstrcpy(s->path, sizeof(s->path), s1->filename);
s->img_number = 0; s->img_number = 0;
s->img_count = 0; s->img_count = 0;
@@ -289,7 +289,7 @@ static int img_write_header(AVFormatContext *s)
VideoData *img = s->priv_data; VideoData *img = s->priv_data;
img->img_number = 1; img->img_number = 1;
strcpy(img->path, s->filename); pstrcpy(img->path, sizeof(img->path), s->filename);
/* find format */ /* find format */
if (s->oformat->flags & AVFMT_NOFILE) if (s->oformat->flags & AVFMT_NOFILE)

4
libavformat/img2.c
View File

@@ -184,7 +184,7 @@ static int img_read_header(AVFormatContext *s1, AVFormatParameters *ap)
return -ENOMEM; return -ENOMEM;
} }
strcpy(s->path, s1->filename); pstrcpy(s->path, sizeof(s->path), s1->filename);
s->img_number = 0; s->img_number = 0;
s->img_count = 0; s->img_count = 0;
@@ -310,7 +310,7 @@ static int img_write_header(AVFormatContext *s)
VideoData *img = s->priv_data; VideoData *img = s->priv_data;
img->img_number = 1; img->img_number = 1;
strcpy(img->path, s->filename); pstrcpy(img->path, sizeof(img->path), s->filename);
/* find format */ /* find format */
if (s->oformat->flags & AVFMT_NOFILE) if (s->oformat->flags & AVFMT_NOFILE)

2
libavformat/matroska.c
View File

@@ -669,7 +669,7 @@ ebml_read_ascii (MatroskaDemuxContext *matroska,
/* ebml strings are usually not 0-terminated, so we allocate one /* ebml strings are usually not 0-terminated, so we allocate one
* byte more, read the string and NULL-terminate it ourselves. */ * byte more, read the string and NULL-terminate it ourselves. */
if (!(*str = av_malloc(size + 1))) { if (size < 0 || !(*str = av_malloc(size + 1))) {
av_log(matroska->ctx, AV_LOG_ERROR, "Memory allocation failed\n"); av_log(matroska->ctx, AV_LOG_ERROR, "Memory allocation failed\n");
return AVERROR_NOMEM; return AVERROR_NOMEM;
} }

43
libavformat/mov.c
View File

@@ -367,6 +367,10 @@ static int mov_read_default(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
/* empty */; /* empty */;
a.size -= 8; a.size -= 8;
if(a.size < 0)
break;
// av_log(NULL, AV_LOG_DEBUG, " i=%ld\n", i); // av_log(NULL, AV_LOG_DEBUG, " i=%ld\n", i);
if (c->parse_table[i].type == 0) { /* skip leaf atoms data */ if (c->parse_table[i].type == 0) { /* skip leaf atoms data */
// url_seek(pb, atom.offset+atom.size, SEEK_SET); // url_seek(pb, atom.offset+atom.size, SEEK_SET);
@@ -401,7 +405,10 @@ static int mov_read_ctab(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
unsigned int len; unsigned int len;
MOV_ctab_t *t; MOV_ctab_t *t;
//url_fskip(pb, atom.size); // for now #if 1
url_fskip(pb, atom.size); // for now
#else
VERY VERY BROKEN, NEVER execute this, needs rewrite
c->ctab = av_realloc(c->ctab, ++c->ctab_size); c->ctab = av_realloc(c->ctab, ++c->ctab_size);
t = c->ctab[c->ctab_size]; t = c->ctab[c->ctab_size];
t->seed = get_be32(pb); t->seed = get_be32(pb);
@@ -413,6 +420,7 @@ static int mov_read_ctab(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
if (t->clrs) if (t->clrs)
get_buffer(pb, t->clrs, len); get_buffer(pb, t->clrs, len);
} }
#endif
return 0; return 0;
} }
@@ -677,6 +685,9 @@ static int mov_read_smi(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
AVStream *st = c->fc->streams[c->fc->nb_streams-1]; AVStream *st = c->fc->streams[c->fc->nb_streams-1];
if((uint64_t)atom.size > (1<<30))
return -1;
// currently SVQ3 decoder expect full STSD header - so let's fake it // currently SVQ3 decoder expect full STSD header - so let's fake it
// this should be fixed and just SMI header should be passed // this should be fixed and just SMI header should be passed
av_free(st->codec.extradata); av_free(st->codec.extradata);
@@ -697,6 +708,9 @@ static int mov_read_avcC(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
AVStream *st = c->fc->streams[c->fc->nb_streams-1]; AVStream *st = c->fc->streams[c->fc->nb_streams-1];
if((uint64_t)atom.size > (1<<30))
return -1;
av_free(st->codec.extradata); av_free(st->codec.extradata);
st->codec.extradata_size = atom.size; st->codec.extradata_size = atom.size;
@@ -714,7 +728,7 @@ static int mov_read_stco(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
AVStream *st = c->fc->streams[c->fc->nb_streams-1]; AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data; MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
int entries, i; unsigned int i, entries;
print_atom("stco", atom); print_atom("stco", atom);
@@ -722,6 +736,10 @@ static int mov_read_stco(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */ get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb); entries = get_be32(pb);
if(entries >= UINT_MAX/sizeof(int64_t))
return -1;
sc->chunk_count = entries; sc->chunk_count = entries;
sc->chunk_offsets = (int64_t*) av_malloc(entries * sizeof(int64_t)); sc->chunk_offsets = (int64_t*) av_malloc(entries * sizeof(int64_t));
if (!sc->chunk_offsets) if (!sc->chunk_offsets)
@@ -1138,7 +1156,7 @@ static int mov_read_stsc(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
AVStream *st = c->fc->streams[c->fc->nb_streams-1]; AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data; MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
int entries, i; unsigned int i, entries;
print_atom("stsc", atom); print_atom("stsc", atom);
@@ -1146,6 +1164,10 @@ static int mov_read_stsc(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */ get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb); entries = get_be32(pb);
if(entries >= UINT_MAX / sizeof(MOV_sample_to_chunk_tbl))
return -1;
#ifdef DEBUG #ifdef DEBUG
av_log(NULL, AV_LOG_DEBUG, "track[%i].stsc.entries = %i\n", c->fc->nb_streams-1, entries); av_log(NULL, AV_LOG_DEBUG, "track[%i].stsc.entries = %i\n", c->fc->nb_streams-1, entries);
#endif #endif
@@ -1168,7 +1190,7 @@ static int mov_read_stss(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
AVStream *st = c->fc->streams[c->fc->nb_streams-1]; AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data; MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
int entries, i; unsigned int i, entries;
print_atom("stss", atom); print_atom("stss", atom);
@@ -1176,6 +1198,10 @@ static int mov_read_stss(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */ get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb); entries = get_be32(pb);
if(entries >= UINT_MAX / sizeof(long))
return -1;
sc->keyframe_count = entries; sc->keyframe_count = entries;
#ifdef DEBUG #ifdef DEBUG
av_log(NULL, AV_LOG_DEBUG, "keyframe_count = %ld\n", sc->keyframe_count); av_log(NULL, AV_LOG_DEBUG, "keyframe_count = %ld\n", sc->keyframe_count);
@@ -1196,7 +1222,7 @@ static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
AVStream *st = c->fc->streams[c->fc->nb_streams-1]; AVStream *st = c->fc->streams[c->fc->nb_streams-1];
MOVStreamContext *sc = (MOVStreamContext *)st->priv_data; MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
int entries, i; unsigned int i, entries;
print_atom("stsz", atom); print_atom("stsz", atom);
@@ -1205,6 +1231,9 @@ static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
sc->sample_size = get_be32(pb); sc->sample_size = get_be32(pb);
entries = get_be32(pb); entries = get_be32(pb);
if(entries >= UINT_MAX / sizeof(long))
return -1;
sc->sample_count = entries; sc->sample_count = entries;
#ifdef DEBUG #ifdef DEBUG
av_log(NULL, AV_LOG_DEBUG, "sample_size = %ld sample_count = %ld\n", sc->sample_size, sc->sample_count); av_log(NULL, AV_LOG_DEBUG, "sample_size = %ld sample_count = %ld\n", sc->sample_size, sc->sample_count);
@@ -1227,7 +1256,7 @@ static int mov_read_stts(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
{ {
AVStream *st = c->fc->streams[c->fc->nb_streams-1]; AVStream *st = c->fc->streams[c->fc->nb_streams-1];
//MOVStreamContext *sc = (MOVStreamContext *)st->priv_data; //MOVStreamContext *sc = (MOVStreamContext *)st->priv_data;
int entries, i; unsigned int i, entries;
int64_t duration=0; int64_t duration=0;
int64_t total_sample_count=0; int64_t total_sample_count=0;
@@ -1236,6 +1265,8 @@ static int mov_read_stts(MOVContext *c, ByteIOContext *pb, MOV_atom_t atom)
get_byte(pb); /* version */ get_byte(pb); /* version */
get_byte(pb); get_byte(pb); get_byte(pb); /* flags */ get_byte(pb); get_byte(pb); get_byte(pb); /* flags */
entries = get_be32(pb); entries = get_be32(pb);
if(entries >= UINT_MAX / sizeof(uint64_t))
return -1;
c->streams[c->fc->nb_streams-1]->stts_count = entries; c->streams[c->fc->nb_streams-1]->stts_count = entries;
c->streams[c->fc->nb_streams-1]->stts_data = (uint64_t*) av_malloc(entries * sizeof(uint64_t)); c->streams[c->fc->nb_streams-1]->stts_data = (uint64_t*) av_malloc(entries * sizeof(uint64_t));

2
libavformat/nsvdec.c
View File

@@ -365,6 +365,8 @@ static int nsv_parse_NSVf_header(AVFormatContext *s, AVFormatParameters *ap)
if (table_entries_used > 0) { if (table_entries_used > 0) {
nsv->index_entries = table_entries_used; nsv->index_entries = table_entries_used;
if((unsigned)table_entries >= UINT_MAX / sizeof(uint32_t))
return -1;
nsv->nsvf_index_data = av_malloc(table_entries * sizeof(uint32_t)); nsv->nsvf_index_data = av_malloc(table_entries * sizeof(uint32_t));
get_buffer(pb, nsv->nsvf_index_data, table_entries * sizeof(uint32_t)); get_buffer(pb, nsv->nsvf_index_data, table_entries * sizeof(uint32_t));
} }

14
libavformat/nut.c
View File

@@ -82,7 +82,7 @@ typedef struct {
int written_packet_size; int written_packet_size;
int64_t packet_start[3]; //0-> startcode less, 1-> short startcode 2-> long startcodes int64_t packet_start[3]; //0-> startcode less, 1-> short startcode 2-> long startcodes
FrameCode frame_code[256]; FrameCode frame_code[256];
int stream_count; unsigned int stream_count;
uint64_t next_startcode; ///< stores the next startcode if it has alraedy been parsed but the stream isnt seekable uint64_t next_startcode; ///< stores the next startcode if it has alraedy been parsed but the stream isnt seekable
StreamContext *stream; StreamContext *stream;
int max_distance; int max_distance;
@@ -255,8 +255,8 @@ static uint64_t get_v(ByteIOContext *bc)
return -1; return -1;
} }
static int get_str(ByteIOContext *bc, char *string, int maxlen){ static int get_str(ByteIOContext *bc, char *string, unsigned int maxlen){
int len= get_v(bc); unsigned int len= get_v(bc);
if(len && maxlen) if(len && maxlen)
get_buffer(bc, string, FFMIN(len, maxlen)); get_buffer(bc, string, FFMIN(len, maxlen));
@@ -283,7 +283,7 @@ static int64_t get_s(ByteIOContext *bc){
static uint64_t get_vb(ByteIOContext *bc){ static uint64_t get_vb(ByteIOContext *bc){
uint64_t val=0; uint64_t val=0;
int i= get_v(bc); unsigned int i= get_v(bc);
if(i>8) if(i>8)
return UINT64_MAX; return UINT64_MAX;
@@ -877,6 +877,10 @@ static int decode_main_header(NUTContext *nut){
} }
nut->stream_count = get_v(bc); nut->stream_count = get_v(bc);
if(nut->stream_count > MAX_STREAMS){
av_log(s, AV_LOG_ERROR, "too many streams\n");
return -1;
}
nut->max_distance = get_v(bc); nut->max_distance = get_v(bc);
nut->max_short_distance = get_v(bc); nut->max_short_distance = get_v(bc);
nut->rate_num= get_v(bc); nut->rate_num= get_v(bc);
@@ -982,6 +986,8 @@ static int decode_stream_header(NUTContext *nut){
/* codec specific data headers */ /* codec specific data headers */
while(get_v(bc) != 0){ while(get_v(bc) != 0){
st->codec.extradata_size= get_v(bc); st->codec.extradata_size= get_v(bc);
if((unsigned)st->codec.extradata_size > (1<<30))
return -1;
st->codec.extradata= av_mallocz(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); st->codec.extradata= av_mallocz(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
get_buffer(bc, st->codec.extradata, st->codec.extradata_size); get_buffer(bc, st->codec.extradata, st->codec.extradata_size);
// url_fskip(bc, get_v(bc)); // url_fskip(bc, get_v(bc));

2
libavformat/ogg.c
View File

@@ -195,6 +195,8 @@ static int ogg_read_header(AVFormatContext *avfcontext, AVFormatParameters *ap)
if(next_packet(avfcontext, &op)){ if(next_packet(avfcontext, &op)){
return -1; return -1;
} }
if(op.bytes >= (1<<16) || op.bytes < 0)
return -1;
codec->extradata_size+= 2 + op.bytes; codec->extradata_size+= 2 + op.bytes;
codec->extradata= av_realloc(codec->extradata, codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); codec->extradata= av_realloc(codec->extradata, codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
p= codec->extradata + codec->extradata_size - 2 - op.bytes; p= codec->extradata + codec->extradata_size - 2 - op.bytes;

2
libavformat/segafilm.c
View File

@@ -171,6 +171,8 @@ static int film_read_header(AVFormatContext *s,
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
film->base_clock = BE_32(&scratch[8]); film->base_clock = BE_32(&scratch[8]);
film->sample_count = BE_32(&scratch[12]); film->sample_count = BE_32(&scratch[12]);
if(film->sample_count >= UINT_MAX / sizeof(film_sample_t))
return -1;
film->sample_table = av_malloc(film->sample_count * sizeof(film_sample_t)); film->sample_table = av_malloc(film->sample_count * sizeof(film_sample_t));
for(i=0; i<s->nb_streams; i++) for(i=0; i<s->nb_streams; i++)

3
libavformat/sgi.c
View File

@@ -66,6 +66,9 @@ static void read_sgi_header(ByteIOContext *f, SGIInfo *info)
info->ysize = (unsigned short) get_be16(f); info->ysize = (unsigned short) get_be16(f);
info->zsize = (unsigned short) get_be16(f); info->zsize = (unsigned short) get_be16(f);
if(info->zsize > 4096)
info->zsize= 0;
#ifdef DEBUG #ifdef DEBUG
printf("sgi header fields:\n"); printf("sgi header fields:\n");
printf(" magic: %d\n", info->magic); printf(" magic: %d\n", info->magic);

17
libavformat/utils.c
View File

@@ -180,7 +180,10 @@ static void av_destruct_packet(AVPacket *pkt)
*/ */
int av_new_packet(AVPacket *pkt, int size) int av_new_packet(AVPacket *pkt, int size)
{ {
void *data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); void *data;
if((unsigned)size > (unsigned)size + FF_INPUT_BUFFER_PADDING_SIZE)
return AVERROR_NOMEM;
data = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE);
if (!data) if (!data)
return AVERROR_NOMEM; return AVERROR_NOMEM;
memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE); memset(data + size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
@@ -200,6 +203,8 @@ int av_dup_packet(AVPacket *pkt)
uint8_t *data; uint8_t *data;
/* we duplicate the packet and don't forget to put the padding /* we duplicate the packet and don't forget to put the padding
again */ again */
if((unsigned)pkt->size > (unsigned)pkt->size + FF_INPUT_BUFFER_PADDING_SIZE)
return AVERROR_NOMEM;
data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE); data = av_malloc(pkt->size + FF_INPUT_BUFFER_PADDING_SIZE);
if (!data) { if (!data) {
return AVERROR_NOMEM; return AVERROR_NOMEM;
@@ -277,8 +282,8 @@ int fifo_read(FifoBuffer *f, uint8_t *buf, int buf_size, uint8_t **rptr_ptr)
return 0; return 0;
} }
void fifo_realloc(FifoBuffer *f, int new_size){ void fifo_realloc(FifoBuffer *f, unsigned int new_size){
int old_size= f->end - f->buffer; unsigned int old_size= f->end - f->buffer;
if(old_size < new_size){ if(old_size < new_size){
uint8_t *old= f->buffer; uint8_t *old= f->buffer;
@@ -1007,10 +1012,16 @@ int av_add_index_entry(AVStream *st,
AVIndexEntry *entries, *ie; AVIndexEntry *entries, *ie;
int index; int index;
if((unsigned)st->nb_index_entries + 1 >= UINT_MAX / sizeof(AVIndexEntry))
return -1;
entries = av_fast_realloc(st->index_entries, entries = av_fast_realloc(st->index_entries,
&st->index_entries_allocated_size, &st->index_entries_allocated_size,
(st->nb_index_entries + 1) * (st->nb_index_entries + 1) *
sizeof(AVIndexEntry)); sizeof(AVIndexEntry));
if(!entries)
return -1;
st->index_entries= entries; st->index_entries= entries;
index= av_index_search_timestamp(st, timestamp, 0); index= av_index_search_timestamp(st, timestamp, 0);

2
libavformat/wc3movie.c
View File

@@ -169,6 +169,8 @@ static int wc3_read_header(AVFormatContext *s,
if ((ret = get_buffer(pb, preamble, 4)) != 4) if ((ret = get_buffer(pb, preamble, 4)) != 4)
return AVERROR_IO; return AVERROR_IO;
wc3->palette_count = LE_32(&preamble[0]); wc3->palette_count = LE_32(&preamble[0]);
if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE)
return -1;
wc3->palettes = av_malloc(wc3->palette_count * PALETTE_SIZE); wc3->palettes = av_malloc(wc3->palette_count * PALETTE_SIZE);
break; break;