CVE-2017-14170

author Markus Koschany <apo@debian.org>

Sun, 30 Dec 2018 19:53:42 +0000 (20:53 +0100)

committer Mike Gabriel <sunweaver@debian.org>

Tue, 28 May 2019 12:14:01 +0000 (13:14 +0100)
author Markus Koschany <apo@debian.org>
Sun, 30 Dec 2018 19:53:42 +0000 (20:53 +0100)
committer Mike Gabriel <sunweaver@debian.org>
Tue, 28 May 2019 12:14:01 +0000 (13:14 +0100)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c

index 9aedd477f49cc0e5112b28ceee24afd5d08d5f01..5392ed91cfaac2948716058b1da03b08b6e9b36a 100644 (file)
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -743,6 +743,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
          return AVERROR(ENOMEM);
  
      length = avio_rb32(pb);
+    if(segment->nb_index_entries && length < 11)
+        return AVERROR_INVALIDDATA;
  
      segment->temporal_offset_entries = av_mallocz(segment->nb_index_entries *
                                   sizeof(*segment->temporal_offset_entries));
@@ -760,6 +762,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg
      }
  
      for (i = 0; i < segment->nb_index_entries; i++) {
+        if(avio_feof(pb))
+            return AVERROR_INVALIDDATA;
          segment->temporal_offset_entries[i] = avio_r8(pb);
          avio_r8(pb);                                        /* KeyFrameOffset */
          segment->flag_entries[i] = avio_r8(pb);
author	Markus Koschany <apo@debian.org>
	Sun, 30 Dec 2018 19:53:42 +0000 (20:53 +0100)
committer	Mike Gabriel <sunweaver@debian.org>
	Tue, 28 May 2019 12:14:01 +0000 (13:14 +0100)