mirror of
https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg
synced 2026-04-20 12:50:49 +08:00
avformat/rtpdec_qdm2: Check block_size
Fixes: out of array access no testcase Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
committed by
michaelni
parent
660d6ece1b
commit
29a0973855
@@ -186,8 +186,9 @@ static int qdm2_parse_subpacket(PayloadContext *qdm, AVStream *st,
|
||||
*/
|
||||
static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
|
||||
{
|
||||
int to_copy, n, res, include_csum;
|
||||
int to_copy, n, res;
|
||||
uint8_t *p, *csum_pos = NULL;
|
||||
int include_csum = qdm->block_type == 2 || qdm->block_type == 4;
|
||||
|
||||
/* create packet to hold subpkts into a superblock */
|
||||
av_assert0(qdm->cache > 0);
|
||||
@@ -196,6 +197,11 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
|
||||
break;
|
||||
av_assert0(n < 0x80);
|
||||
|
||||
int min_size = 2 + (qdm->len[n] > 0xff) + 2*include_csum;
|
||||
|
||||
if (qdm->block_size < min_size)
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
||||
if ((res = av_new_packet(pkt, qdm->block_size)) < 0)
|
||||
return res;
|
||||
memset(pkt->data, 0, pkt->size);
|
||||
@@ -211,7 +217,7 @@ static int qdm2_restore_block(PayloadContext *qdm, AVStream *st, AVPacket *pkt)
|
||||
*p++ = qdm->block_type;
|
||||
*p++ = qdm->len[n];
|
||||
}
|
||||
if ((include_csum = (qdm->block_type == 2 || qdm->block_type == 4))) {
|
||||
if (include_csum) {
|
||||
csum_pos = p;
|
||||
p += 2;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user