57d7ee5a36
- jpegdec: Actually search for and parse RSTn. - mpeg4: Adjust dummy frame threshold for packed DivX. - mpeg4: Fix another packed DivX issue. - jpegdec: Better RSTn skiping. - Fix memory corruption in case of memory allocation failure. - cavsdec: Avoid possible crash with crafted input. - rtp: Fix integer underflow that could allow remote code execution. MSVR-11-008 8 - rtpdec_asf: Fix memleak. - mp3dec: Dont spam the user on multiple MP3 frames. - wavpack: Fixed invalid access with corrupted extra bits sub-blocks. - wavpack: Fixed invalid writes with corrupted bitstreams. - wavpack: Fixed invalid access with corrupted bitstream.
24 lines
973 B
Plaintext
24 lines
973 B
Plaintext
$OpenBSD: patch-libavformat_rtpdec_asf_c,v 1.1 2011/09/12 21:04:49 sthen Exp $
|
|
|
|
- Fix integer underflow that could allow remote code execution. MSVR-11-0088
|
|
- Fix memleak.
|
|
|
|
--- libavformat/rtpdec_asf.c.orig Thu Sep 8 14:49:36 2011
|
|
+++ libavformat/rtpdec_asf.c Thu Sep 8 14:52:50 2011
|
|
@@ -230,8 +230,14 @@ static int asfrtp_parse_packet(AVFormatContext *s, Pay
|
|
|
|
int cur_len = start_off + len_off - off;
|
|
int prev_len = out_len;
|
|
+ void *newbuf;
|
|
out_len += cur_len;
|
|
- asf->buf = av_realloc(asf->buf, out_len);
|
|
+ if(FFMIN(cur_len, len - off)<0)
|
|
+ return -1;
|
|
+ newbuf = av_realloc(asf->buf, out_len);
|
|
+ if(!newbuf)
|
|
+ return -1;
|
|
+ asf->buf= newbuf;
|
|
memcpy(asf->buf + prev_len, buf + off,
|
|
FFMIN(cur_len, len - off));
|
|
avio_skip(pb, cur_len);
|