avformat/icodec: Fix crash probing fuzzed file
authorMark Harris <mark.hsj@gmail.com>
Tue, 16 Feb 2016 07:52:13 +0000 (23:52 -0800)
committerMichael Niedermayer <michael@niedermayer.cc>
Sat, 20 Feb 2016 01:56:25 +0000 (02:56 +0100)
Avoid invalid memory read/crash when frame offset >= 0xfffffff8.
Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
(The previous commit verifies that p->buf_size >= 22.)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/icodec.c

index b247cb2..17acfb4 100644 (file)
@@ -63,7 +63,7 @@ static int probe(AVProbeData *p)
         offset = AV_RL32(p->buf + 18 + i * 16);
         if (offset < 22)
             return FFMIN(i, AVPROBE_SCORE_MAX / 4);
-        if (offset + 8 > p->buf_size)
+        if (offset > p->buf_size - 8)
             continue;
         if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
             return FFMIN(i, AVPROBE_SCORE_MAX / 4);