AVI: fix heap buffer overflow (CVE-2011-2588)

(cherry picked from commit 9c14964bd11482d5c1d6c0e223440f9f1e5b1831)

AVI: fix heap buffer overflow (CVE-2011-2588)
(cherry picked from commit 9c14964bd11482d5c1d6c0e223440f9f1e5b1831)
6953ce08 · Rémi Denis-Courmont · 3e7f0de5 · 6953ce08
Commit 6953ce08 authored Jul 10, 2011 by Rémi Denis-Courmont
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

modules/demux/avi/libavi.c modules/demux/avi/libavi.c +3 -2

No files found.
--- a/modules/demux/avi/libavi.c
+++ b/modules/demux/avi/libavi.c
@@ -386,7 +386,8 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
        case( AVIFOURCC_vids ):
            p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */
            p_chk->strf.vids.i_cat = VIDEO_ES;
-            p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size );
+            p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size,
+                                         sizeof( *p_chk->strf.vids.p_bih ) ) );
            AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize );
            AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth );
            AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight );
@@ -402,7 +403,7 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
            {
                p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size;
            }
-            if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 )
+            if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) )
            {
                memcpy( &p_chk->strf.vids.p_bih[1],
                        p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */