From: 孙浩(晓黑) <tony.sh@alibaba-inc.com>
Date: Tue, 29 Aug 2017 21:59:21 +0000 (+0200)
Subject: avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u8+rpi1^2~20
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=666ed84446be93a7f90aa8f194edb9d0f4eaa548;p=libav.git

avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()

Fixes: 20170829B.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Gbp-Pq: Name CVE-2017-14169.patch
---

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 5392ed9..2db7e9d 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -407,12 +407,13 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U
         avpriv_request_sample(pb, "Primer pack item length %d", item_len);
         return AVERROR_PATCHWELCOME;
     }
-    if (item_num > UINT_MAX / item_len)
+    if (item_num > 65536 || item_num < 0)
+        av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
         return AVERROR_INVALIDDATA;
-    mxf->local_tags_count = item_num;
     mxf->local_tags = av_malloc(item_num*item_len);
     if (!mxf->local_tags)
         return AVERROR(ENOMEM);
+    mxf->local_tags_count = item_num;
     avio_read(pb, mxf->local_tags, item_num*item_len);
     return 0;
 }