From d9293648147013403de729958ea4c19a5b6c40e4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2013 21:56:46 +0100 Subject: [PATCH] asfdec: dont truncate type 2-5 values Fixes use of uninitialized variables and possible out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavformat/asfdec.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c index 38f46a6474..de42b45a8e 100644 --- a/libavformat/asfdec.c +++ b/libavformat/asfdec.c @@ -278,11 +278,12 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int { char *value; int64_t off = avio_tell(s->pb); +#define LEN 22 - if ((unsigned)len >= (UINT_MAX - 1) / 2) + if ((unsigned)len >= (UINT_MAX - LEN) / 2) return; - value = av_malloc(2 * len + 1); + value = av_malloc(2 * len + LEN); if (!value) goto finish; @@ -302,7 +303,7 @@ static void get_tag(AVFormatContext *s, const char *key, int type, int len, int goto finish; } else if (type > 1 && type <= 5) { // boolean or DWORD or QWORD or WORD uint64_t num = get_value(s->pb, type, type2_size); - snprintf(value, len, "%"PRIu64, num); + snprintf(value, LEN, "%"PRIu64, num); } else if (type == 6) { // (don't) handle GUID av_log(s, AV_LOG_DEBUG, "Unsupported GUID value in tag %s.\n", key); goto finish; -- 2.11.0