github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
165d5a2547bfc5ff22cd98950bca7fcddb7dea9d
electron/patches/ffmpeg/cherry-pick-c2c8cac2131b.patch
Pedro Pontes 73923c862e chore: cherry-pick c2c8cac2131b from ffmpeg (#35793) 
* chore: cherry-pick c2c8cac2131b from ffmpeg

* chore: update patches

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
2022-09-23 12:39:12 -07:00

58 lines
2.5 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 28 Jul 2022 14:42:43 +0200
Subject: avformat/mov: Check count sums in build_open_gop_key_points()
Fixes: ffmpeg.md
Fixes: Out of array access
Fixes: CVE-2022-2566
Bug: 1348283
Found-by: Andy Nguyen <theflow@google.com>
Found-by: 3pvd <3pvd@google.com>
Change-Id: I6821c87acce5a62cd9a5b829c17f56ae6418116a
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64d7d8d0e5035087ebe24a65845b36f78e7fad92)
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/third_party/ffmpeg/+/3890391
Reviewed-by: Matthew Wolenetz <wolenetz@chromium.org>
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 124c8e907f2e0cb5777b5433ccdb17ac52f0b6eb..595babcd4bfb1298d2928b1f4c9b40b2d09971e9 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3943,8 +3943,11 @@ static int build_open_gop_key_points(AVStream *st)
/* Build an unrolled index of the samples */
sc->sample_offsets_count = 0;
- for (uint32_t i = 0; i < sc->ctts_count; i++)
+ for (uint32_t i = 0; i < sc->ctts_count; i++) {
+ if (sc->ctts_data[i].count > INT_MAX - sc->sample_offsets_count)
+ return AVERROR(ENOMEM);
sc->sample_offsets_count += sc->ctts_data[i].count;
+ }
av_freep(&sc->sample_offsets);
sc->sample_offsets = av_calloc(sc->sample_offsets_count, sizeof(*sc->sample_offsets));
if (!sc->sample_offsets)
@@ -3963,8 +3966,11 @@ static int build_open_gop_key_points(AVStream *st)
/* Build a list of open-GOP key samples */
sc->open_key_samples_count = 0;
for (uint32_t i = 0; i < sc->sync_group_count; i++)
- if (sc->sync_group[i].index == cra_index)
+ if (sc->sync_group[i].index == cra_index) {
+ if (sc->sync_group[i].count > INT_MAX - sc->open_key_samples_count)
+ return AVERROR(ENOMEM);
sc->open_key_samples_count += sc->sync_group[i].count;
+ }
av_freep(&sc->open_key_samples);
sc->open_key_samples = av_calloc(sc->open_key_samples_count, sizeof(*sc->open_key_samples));
if (!sc->open_key_samples)
@@ -3975,6 +3981,8 @@ static int build_open_gop_key_points(AVStream *st)
if (sg->index == cra_index)
for (uint32_t j = 0; j < sg->count; j++)
sc->open_key_samples[k++] = sample_id;
+ if (sg->count > INT_MAX - sample_id)
+ return AVERROR_PATCHWELCOME;
sample_id += sg->count;
}
Reference in New Issue View Git Blame Copy Permalink