ShuriZma
/
fceux
mirror of https://github.com/TASEmulators/fceux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix for heap read overflow in Qt Avi Riff viewer when reading avi files created by ffmpeg. Caught by running with clang/gcc address sanitizer.

This commit is contained in:
harry 2022-08-02 21:06:51 -04:00 committed by zeromus
parent 3fed0331cc
commit 9d18523731
1 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/drivers/Qt/AviRiffViewer.cpp
View File

@ -848,9 +848,11 @@ int AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
} }
else if ( strcmp( strhType, "auds" ) == 0 ) else if ( strcmp( strhType, "auds" ) == 0 )
{ {
data.malloc( item->getSize()+8 ); size_t dataSize = item->getSize()+8;
avi->getChunkData( item->filePos(), data.buf, item->getSize()+8 ); data.malloc( dataSize );
avi->getChunkData( item->filePos(), data.buf, dataSize );
sprintf( stmp, "%c%c%c%c", data.buf[0], data.buf[1], data.buf[2], data.buf[3] ); sprintf( stmp, "%c%c%c%c", data.buf[0], data.buf[1], data.buf[2], data.buf[3] );
@ -908,12 +910,17 @@ int AviRiffViewerDialog::processChunk( AviRiffTreeItem *item )
twi->setText( 2, tr(stmp) ); twi->setText( 2, tr(stmp) );
item->addChild(twi); item->addChild(twi);
sprintf( stmp, "%u", data.readU16(24) ); // ffmpeg does not write out this element.
// Check chunk size to ensure it is there to avoid heap read overflow.
if ( dataSize >= 26 )
{
sprintf( stmp, "%u", data.readU16(24) );
twi = new QTreeWidgetItem(); twi = new QTreeWidgetItem();
twi->setText( 0, tr("cbSize") ); twi->setText( 0, tr("cbSize") );
twi->setText( 2, tr(stmp) ); twi->setText( 2, tr(stmp) );
item->addChild(twi); item->addChild(twi);
}
} }
} }
else if ( isRiffTag( item->getFourcc(), &riffIdx ) ) else if ( isRiffTag( item->getFourcc(), &riffIdx ) )