4.3 Vulnerability Remediation
Note
Tuesday, January 27, 2009
After I told the FFmpeg maintainers about the bug, they developed the following patch:[42]
--- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ −166,12 +166,13 @@ static int fourxm_read_header(AVFormatContext *s, goto fail; } current_track = AV_RL32(&header[i + 8]);+ if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
+ av_log(s, AV_LOG_ERROR, "current_track too large\n");
+ ret= −1;
+ goto fail;
+ }
if (current_track + 1 > fourxm->track_count) { fourxm->track_count = current_track + 1;- if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)){
- ret= −1;
- goto fail;
- }
fourxm->tracks = av_realloc(fourxm->tracks, fourxm->track_count * sizeof(AudioTrack)); if (!fourxm->tracks) ...
Get A Bug Hunter's Diary now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.