From 9d18523731a7a7de35d518783713e73c60de50b9 Mon Sep 17 00:00:00 2001
From: harry <hrosen2016@gmail.com>
Date: Tue, 2 Aug 2022 21:06:51 -0400
Subject: [PATCH] Fix for heap read overflow in Qt Avi Riff viewer when reading
 avi files created by ffmpeg. Caught by running with clang/gcc address
 sanitizer.

---
 src/drivers/Qt/AviRiffViewer.cpp | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/drivers/Qt/AviRiffViewer.cpp b/src/drivers/Qt/AviRiffViewer.cpp
index 6d1e6afa..36716bae 100644
--- a/src/drivers/Qt/AviRiffViewer.cpp
+++ b/src/drivers/Qt/AviRiffViewer.cpp
@@ -848,9 +848,11 @@ int  AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
 		}
 		else if ( strcmp( strhType, "auds" ) == 0 )
 		{
-			data.malloc( item->getSize()+8 );
+			size_t dataSize = item->getSize()+8;
 
-			avi->getChunkData( item->filePos(), data.buf, item->getSize()+8 );
+			data.malloc( dataSize );
+
+			avi->getChunkData( item->filePos(), data.buf, dataSize );
 
 			sprintf( stmp, "%c%c%c%c", data.buf[0], data.buf[1], data.buf[2], data.buf[3] );
 
@@ -908,12 +910,17 @@ int  AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
 			twi->setText( 2, tr(stmp) );
 			item->addChild(twi);
 
-			sprintf( stmp, "%u", data.readU16(24) );
+			// ffmpeg does not write out this element.
+			// Check chunk size to ensure it is there to avoid heap read overflow.
+			if ( dataSize >= 26 )
+			{
+				sprintf( stmp, "%u", data.readU16(24) );
 
-			twi = new QTreeWidgetItem();
-			twi->setText( 0, tr("cbSize") );
-			twi->setText( 2, tr(stmp) );
-			item->addChild(twi);
+				twi = new QTreeWidgetItem();
+				twi->setText( 0, tr("cbSize") );
+				twi->setText( 2, tr(stmp) );
+				item->addChild(twi);
+			}
 		}
 	}
 	else if ( isRiffTag( item->getFourcc(), &riffIdx ) )