[vlc-commits] avi: Fix integer overflow
Hugo Beauzée-Luyssen
git at videolan.org
Tue Dec 15 11:38:49 UTC 2020
vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Mon Nov 9 09:54:27 2020 +0100| [a4b1de184faf86617b4432954c1984e0027fb246] | committer: Hugo Beauzée-Luyssen
avi: Fix integer overflow
Which would in turn cause a size verification failure, leading to a
buffer overflow
Reported by: Zhen Zhou, NSFOCUS Security Team
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a4b1de184faf86617b4432954c1984e0027fb246
---
modules/demux/avi/avi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/demux/avi/avi.c b/modules/demux/avi/avi.c
index 9174b3167b..c3aa70ef57 100644
--- a/modules/demux/avi/avi.c
+++ b/modules/demux/avi/avi.c
@@ -2933,7 +2933,7 @@ static void AVI_ExtractSubtitle( demux_t *p_demux,
if( i_size < 6 || GetWLE( &p[0] ) != 0x04 )
goto exit;
const unsigned i_payload = GetDWLE( &p[2] );
- if( i_size < 6 + i_payload || i_payload <= 0 )
+ if( i_size - 6 < i_payload || i_payload == 0 )
goto exit;
p += 6;
i_size -= 6;
More information about the vlc-commits
mailing list