Fix for heap read overflow in Qt Avi Riff viewer when reading avi files created by ffmpeg. Caught by running with clang/gcc address sanitizer.
This commit is contained in:
parent
3fed0331cc
commit
9d18523731
|
@ -848,9 +848,11 @@ int AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
|
||||||
}
|
}
|
||||||
else if ( strcmp( strhType, "auds" ) == 0 )
|
else if ( strcmp( strhType, "auds" ) == 0 )
|
||||||
{
|
{
|
||||||
data.malloc( item->getSize()+8 );
|
size_t dataSize = item->getSize()+8;
|
||||||
|
|
||||||
avi->getChunkData( item->filePos(), data.buf, item->getSize()+8 );
|
data.malloc( dataSize );
|
||||||
|
|
||||||
|
avi->getChunkData( item->filePos(), data.buf, dataSize );
|
||||||
|
|
||||||
sprintf( stmp, "%c%c%c%c", data.buf[0], data.buf[1], data.buf[2], data.buf[3] );
|
sprintf( stmp, "%c%c%c%c", data.buf[0], data.buf[1], data.buf[2], data.buf[3] );
|
||||||
|
|
||||||
|
@ -908,6 +910,10 @@ int AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
|
||||||
twi->setText( 2, tr(stmp) );
|
twi->setText( 2, tr(stmp) );
|
||||||
item->addChild(twi);
|
item->addChild(twi);
|
||||||
|
|
||||||
|
// ffmpeg does not write out this element.
|
||||||
|
// Check chunk size to ensure it is there to avoid heap read overflow.
|
||||||
|
if ( dataSize >= 26 )
|
||||||
|
{
|
||||||
sprintf( stmp, "%u", data.readU16(24) );
|
sprintf( stmp, "%u", data.readU16(24) );
|
||||||
|
|
||||||
twi = new QTreeWidgetItem();
|
twi = new QTreeWidgetItem();
|
||||||
|
@ -916,6 +922,7 @@ int AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
|
||||||
item->addChild(twi);
|
item->addChild(twi);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
else if ( isRiffTag( item->getFourcc(), &riffIdx ) )
|
else if ( isRiffTag( item->getFourcc(), &riffIdx ) )
|
||||||
{
|
{
|
||||||
int j=0;
|
int j=0;
|
||||||
|
|
Loading…
Reference in New Issue