Commit 6953ce08 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

AVI: fix heap buffer overflow (CVE-2011-2588)

(cherry picked from commit 9c14964bd11482d5c1d6c0e223440f9f1e5b1831)
parent 3e7f0de5
......@@ -386,7 +386,8 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
case( AVIFOURCC_vids ):
p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */
p_chk->strf.vids.i_cat = VIDEO_ES;
p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size );
p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size,
sizeof( *p_chk->strf.vids.p_bih ) ) );
AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize );
AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth );
AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight );
......@@ -402,7 +403,7 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk )
{
p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size;
}
if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 )
if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) )
{
memcpy( &p_chk->strf.vids.p_bih[1],
p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment