From f5a1e2ddabc396c4ac00361b0b6eb93a32ec7ec1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= Date: Sun, 10 Jul 2011 23:14:40 +0300 Subject: [PATCH 2/2] AVI: fix heap buffer overflow (CVE-2011-2588) --- modules/demux/avi/libavi.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/demux/avi/libavi.c b/modules/demux/avi/libavi.c index 7dbf959..c92e1f1 100644 --- a/modules/demux/avi/libavi.c +++ b/modules/demux/avi/libavi.c @@ -386,7 +386,8 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk ) case( AVIFOURCC_vids ): p_strh->strh.i_samplesize = 0; /* XXX for ffmpeg avi file */ p_chk->strf.vids.i_cat = VIDEO_ES; - p_chk->strf.vids.p_bih = malloc( p_chk->common.i_chunk_size ); + p_chk->strf.vids.p_bih = malloc( __MAX( p_chk->common.i_chunk_size, + sizeof( *p_chk->strf.vids.p_bih ) ) ); AVI_READ4BYTES( p_chk->strf.vids.p_bih->biSize ); AVI_READ4BYTES( p_chk->strf.vids.p_bih->biWidth ); AVI_READ4BYTES( p_chk->strf.vids.p_bih->biHeight ); @@ -402,7 +403,7 @@ static int AVI_ChunkRead_strf( stream_t *s, avi_chunk_t *p_chk ) { p_chk->strf.vids.p_bih->biSize = p_chk->common.i_chunk_size; } - if( p_chk->common.i_chunk_size - sizeof(BITMAPINFOHEADER) > 0 ) + if( p_chk->common.i_chunk_size > sizeof(BITMAPINFOHEADER) ) { memcpy( &p_chk->strf.vids.p_bih[1], p_buff + 8 + sizeof(BITMAPINFOHEADER), /* 8=fourrc+size */ -- 1.7.5.4