avformat/cafdec: fix negative index use in read_seek
av_index_search_timestamp() returns a negative value when a seek target cannot be resolved from the stream index. Bail out before using that result as an index into sti->index_entries to avoid out-of-bounds reads. Fixes: Buffer underflow Fixes: DFVULN-608 *Vulnerability reported by Zhenpeng (Leo) Lin at depthfirst* *Patch validated by Zheng Yu at depthfirst*
This commit is contained in:
depthfirst-dev[bot]
committed by
michaelni
michaelni
parent
05817dc7dd
commit
5408059eb7
@@ -568,6 +568,8 @@ static int read_seek(AVFormatContext *s, int stream_index,
|
||||
frame_cnt = caf->frames_per_packet * packet_cnt - st->codecpar->initial_padding;
|
||||
} else if (sti->nb_index_entries) {
|
||||
packet_cnt = av_index_search_timestamp(st, timestamp, flags);
|
||||
if (packet_cnt < 0)
|
||||
return -1;
|
||||
frame_cnt = sti->index_entries[packet_cnt].timestamp;
|
||||
pos = sti->index_entries[packet_cnt].pos;
|
||||
} else {
|
||||
|
||||
Reference in New Issue
Block a user