CVE-2017-18245

commit b737a2c52857b214be246ff615c6293730033cfa
Author: wm4 <nfxjfg@googlemail.com>
Date:   Tue Feb 3 19:04:11 2015 +0100

    avformat/mpc8: fix broken pointer math

    This could overflow and crash at least on 32 bit systems.

    Reviewed-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2017-18245.patch

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 4b12219e8d36f04fe31f23bc1ce3e21f07ccbfe8..cbafbe4fc63a6acc5a1314d02d3c7f89c9925fb1 100644 (file)
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -91,7 +91,7 @@ static int mpc8_probe(AVProbeData *p)
         size = bs_get_v(&bs);
         if (size < 2)
             return 0;
-        if (bs + size - 2 >= bs_end)
+        if (size >= bs_end - bs + 2)
             return AVPROBE_SCORE_EXTENSION - 1; // seems to be valid MPC but no header yet
         if (header_found) {
             if (size < 11 || size > 28)