From eedd9148733ff4467c62092ad1c1a26d6125b249 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Dec 2013 18:07:30 +0100 Subject: [PATCH] avformat/pva: Make sure the header is large enough before reading the timestamp from it Fixes use of uninitialized memory Fixes: msan_uninit-mem_7f34b5dc6d58_2674_PVA_test-partial.pva Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavformat/pva.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/pva.c b/libavformat/pva.c index 635fb728b3..18ab1cd3fc 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -152,8 +152,14 @@ recover: pvactx->continue_pes = pes_packet_length; - if (pes_flags & 0x80 && (pes_header_data[0] & 0xf0) == 0x20) + if (pes_flags & 0x80 && (pes_header_data[0] & 0xf0) == 0x20) { + if (pes_header_data_length < 5) { + pva_log(s, AV_LOG_ERROR, "header too short\n"); + avio_skip(pb, length); + return AVERROR_INVALIDDATA; + } pva_pts = ff_parse_pes_pts(pes_header_data); + } } pvactx->continue_pes -= length;