diff options
author | John Rummell <jrummell@chromium.org> | 2020-03-31 06:30:33 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-07-23 08:17:17 +0000 |
commit | 52367e8e7534f945e1c2c9e305c75aea7d9424f1 (patch) | |
tree | 956c8ac6f5c37a487fa9224d5ea9d04f9af14059 | |
parent | 99fe8bdb44af780ea30c33839b6eebde4f4e2fe7 (diff) | |
download | qtwebengine-chromium-52367e8e7534f945e1c2c9e305c75aea7d9424f1.tar.gz |
[Backport] Security bug 1065731
Backport of patch originally committed to ffmpeg:
libavformat/amr.c: Check return value from avio_read()
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with initialized data. Caught by
Chromium fuzzeras (crbug.com/1065731).
Change-Id: I6fc8f1f2abddb6ed1e4aaf36da174c4912aa252a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/ffmpeg/libavformat/amr.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/chromium/third_party/ffmpeg/libavformat/amr.c b/chromium/third_party/ffmpeg/libavformat/amr.c index 42840a50a30..a963eb3ded7 100644 --- a/chromium/third_party/ffmpeg/libavformat/amr.c +++ b/chromium/third_party/ffmpeg/libavformat/amr.c @@ -90,13 +90,15 @@ static int amr_read_header(AVFormatContext *s) AVStream *st; uint8_t header[9]; - avio_read(pb, header, 6); + if (avio_read(pb, header, 6) != 6) + return AVERROR_INVALIDDATA; st = avformat_new_stream(s, NULL); if (!st) return AVERROR(ENOMEM); if (memcmp(header, AMR_header, 6)) { - avio_read(pb, header + 6, 3); + if (avio_read(pb, header + 6, 3) != 3) + return AVERROR_INVALIDDATA; if (memcmp(header, AMRWB_header, 9)) { return -1; } |