From: jeanlf <jeanlf@gpac.io>
Date: Thu, 31 Mar 2022 11:57:05 +0000 (+0200)
Subject: [PATCH] fixed #2159
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u3^2~46
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=367100fdd122993aa936b6aee7e412d66ff99da3;p=gpac.git

[PATCH] fixed #2159


Gbp-Pq: Name CVE-2022-1222.patch
---

diff --git a/src/media_tools/avilib.c b/src/media_tools/avilib.c
index 593d12a..d36ac11 100644
--- a/src/media_tools/avilib.c
+++ b/src/media_tools/avilib.c
@@ -1882,8 +1882,8 @@ avi_t *AVI_open_fd(FILE *fd, int getIndex)
 
 int avi_parse_input_file(avi_t *AVI, int getIndex)
 {
-	int i, rate, scale, idx_type;
-	s64 n;
+	int rate, scale, idx_type;
+	s64 n, i;
 	unsigned char *hdrl_data;
 	u64 header_offset=0;
 	int hdrl_len=0;
@@ -1937,6 +1937,7 @@ int avi_parse_input_file(avi_t *AVI, int getIndex)
 				n -= 4;
 			if(strnicmp(data,"hdrl",4) == 0)
 			{
+				if (n>0xFFFFFFFF) ERR_EXIT(AVI_ERR_READ)
 				hdrl_len = (u32) n;
 				hdrl_data = (unsigned char *) gf_malloc((u32)n);
 				if(hdrl_data==0) ERR_EXIT(AVI_ERR_NO_MEM);
@@ -2089,8 +2090,10 @@ int avi_parse_input_file(avi_t *AVI, int getIndex)
 						AVI->compressor2[4] = 0;
 
 						if (n>40) {
+							if (n>0xFFFFFFFF) ERR_EXIT(AVI_ERR_READ)
 							AVI->extradata_size = (u32) (n - 40);
 							AVI->extradata = gf_malloc(sizeof(u8)* AVI->extradata_size);
+							if (!AVI->extradata) ERR_EXIT(AVI_ERR_NO_MEM)
 							memcpy(AVI->extradata, hdrl_data + i + 40, AVI->extradata_size);
 						}