From 0b66fb4505e0bb43de3797f63f3290f0188d67cc Mon Sep 17 00:00:00 2001 From: Vittorio Giovara Date: Mon, 20 Oct 2014 14:11:21 +0100 Subject: [PATCH] flac_picture: prevent a possible out of bound write At "mimetype[len] = 0;" mimetype is a 64 element array and len might be equal to or greater than that. CC: libav-stable@libav.org Bug-Id: CID 1061055 --- libavformat/flac_picture.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/flac_picture.c b/libavformat/flac_picture.c index 69d27244ff..a6b55379f8 100644 --- a/libavformat/flac_picture.c +++ b/libavformat/flac_picture.c @@ -31,8 +31,8 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size) uint8_t mimetype[64], *desc = NULL; AVIOContext *pb = NULL; AVStream *st; - int type, width, height; - int len, ret = 0; + int width, height, ret = 0; + unsigned int type, len; pb = avio_alloc_context(buf, buf_size, 0, NULL, NULL, NULL, NULL); if (!pb) @@ -40,7 +40,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size) /* read the picture type */ type = avio_rb32(pb); - if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types) || type < 0) { + if (type >= FF_ARRAY_ELEMS(ff_id3v2_picture_types)) { av_log(s, AV_LOG_ERROR, "Invalid picture type: %d.\n", type); if (s->error_recognition & AV_EF_EXPLODE) { ret = AVERROR_INVALIDDATA; @@ -51,7 +51,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size) /* picture mimetype */ len = avio_rb32(pb); - if (len <= 0 || + if (!len || len >= 64 || avio_read(pb, mimetype, FFMIN(len, sizeof(mimetype) - 1)) != len) { av_log(s, AV_LOG_ERROR, "Could not read mimetype from an attached " "picture.\n"); @@ -100,7 +100,7 @@ int ff_flac_parse_picture(AVFormatContext *s, uint8_t *buf, int buf_size) /* picture data */ len = avio_rb32(pb); - if (len <= 0) { + if (!len) { av_log(s, AV_LOG_ERROR, "Invalid attached picture size: %d.\n", len); if (s->error_recognition & AV_EF_EXPLODE) ret = AVERROR_INVALIDDATA;