shithub: mcfs

Download patch

ref: f6a0362e0845888acf03cac6a6fd8e98ffae42d2
parent: eaf8ae4343cc93a94df268a0d01ef6d2dcb5e52a
author: Sigrid Solveig Haflínudóttir <ftrvxmtrx@gmail.com>
date: Wed Jan 20 09:23:22 EST 2021 

ivf: make sure to not read outside of the codec private data


--- a/ivf.c
+++ b/ivf.c
@@ -44,7 +44,7 @@
 int
 ivfpacket(Biobuf *out, Packetctx *ctx, Packet *p, int np, uvlong ts)
 {
-	u8int d[0x20], *x, *y;
+	u8int d[0x20], *x, *y, *e;
 	int i, n, len;
 	uvlong dur;
 
@@ -104,6 +104,7 @@
 				}
 
 				x = ctx->codec.priv.data;
+				e = x + ctx->codec.priv.sz;
 				if(x[0] != 1){
 					werrstr("avc config: invalid version %d", x[0]);
 					goto err;
@@ -122,6 +123,10 @@
 				for(i = 0; i < n; i++){
 					len = y[0] << 8 | y[1];
 					y += 2;
+					if(y+len > e){
+						werrstr("sps out of range");
+						goto err;
+					}
 					memmove(x+4, y, len);
 					if(ivfframe(out, x, 4+len, 0, 0) != 0)
 						goto err;
@@ -133,6 +138,10 @@
 				for(i = 0; i < n; i++){
 					len = y[0] << 8 | y[1];
 					y += 2;
+					if(y+len > e){
+						werrstr("pps out of range");
+						goto err;
+					}
 					memmove(x+4, y, len);
 					if(ivfframe(out, x, 4+len, 0, 0) != 0)
 						goto err;