Commit 56cbe9c4 authored by Hugo Beauzée-Luyssen's avatar Hugo Beauzée-Luyssen
Browse files

avi: Fix integer overflow



Which would in turn cause a size verification failure, leading to a
buffer overflow
Reported by: Zhen Zhou, NSFOCUS Security Team

(cherry picked from commit a4b1de184faf86617b4432954c1984e0027fb246)
Signed-off-by: Hugo Beauzée-Luyssen's avatarHugo Beauzée-Luyssen <hugo@beauzee.fr>
parent ec1f55ee
......@@ -3078,7 +3078,7 @@ static void AVI_ExtractSubtitle( demux_t *p_demux,
if( i_size < 6 || GetWLE( &p[0] ) != 0x04 )
goto exit;
const unsigned i_payload = GetDWLE( &p[2] );
if( i_size < 6 + i_payload || i_payload <= 0 )
if( i_size - 6 < i_payload || i_payload == 0 )
goto exit;
p += 6;
i_size -= 6;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment