O'Reilly logo

A Bug Hunter's Diary by Tobias Klein

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.3 Vulnerability Remediation

Note

Tuesday, January 27, 2009

After I told the FFmpeg maintainers about the bug, they developed the following patch:[42]

--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ −166,12 +166,13 @@ static int fourxm_read_header(AVFormatContext *s,
                 goto fail;
             }
             current_track = AV_RL32(&header[i + 8]);
+            if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
+                av_log(s, AV_LOG_ERROR, "current_track too large\n");
+                ret= −1;
+                goto fail;
+            }
             if (current_track + 1 > fourxm->track_count) {
                 fourxm->track_count = current_track + 1;
-                if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)){
-                    ret= −1;
-                    goto fail;
-                } fourxm->tracks = av_realloc(fourxm->tracks, fourxm->track_count * sizeof(AudioTrack)); if (!fourxm->tracks) ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required