From 0305244dbe573b4902b12396f0bf0db23a4b2de7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?=E5=AD=99=E6=B5=A9=28=E6=99=93=E9=BB=91=29?= Date: Tue, 29 Aug 2017 23:59:21 +0200 Subject: [PATCH] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer Gbp-Pq: Name CVE-2017-14169.patch --- libavformat/mxfdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 5392ed9..2db7e9d 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -407,12 +407,13 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > UINT_MAX / item_len) + if (item_num > 65536 || item_num < 0) + av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; - mxf->local_tags_count = item_num; mxf->local_tags = av_malloc(item_num*item_len); if (!mxf->local_tags) return AVERROR(ENOMEM); + mxf->local_tags_count = item_num; avio_read(pb, mxf->local_tags, item_num*item_len); return 0; } -- 2.30.2