From: Jiyong Min Date: Thu, 23 Jun 2016 06:21:19 +0000 (+0900) Subject: [CVE patch] CVE-2016-2636 in libav version 11.7 X-Git-Tag: accepted/tizen/common/20160627.191537^0 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F95%2F76195%2F1;p=platform%2Fupstream%2Flibav.git [CVE patch] CVE-2016-2636 in libav version 11.7 - asfenc: fix some possible integer overflows (CVE-2016-2326) Change-Id: I9904997efff6a91ed4c74d4135611c04a63e637f Signed-off-by: Jiyong Min --- diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index 4ae52bd..4cd1a4a 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -410,7 +410,7 @@ static int asf_write_header1(AVFormatContext *s, int64_t file_size, avio_wl64(pb, unix_to_file_time(file_time)); avio_wl64(pb, asf->nb_packets); /* number of packets */ avio_wl64(pb, play_duration); /* end time stamp (in 100ns units) */ - avio_wl64(pb, send->duration); /* duration (in 100ns units) */ + avio_wl64(pb, send_duration); /* duration (in 100ns units) */ avio_wl64(pb, PREROLL_TIME); /* start time stamp */ avio_wl32(pb, (asf->is_streamed || !pb->seekable) ? 3 : 2); /* ??? */ avio_wl32(pb, s->packet_size); /* packet size */ @@ -869,10 +869,6 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR(ERANGE); start_sec = pts / 1000; - if (start_sec != asf->last_indexed_pts / 1000) { if (pts / 1000LL > INT_MAX) - return AVERROR(ERANGE); - - start_sec = pts / 1000; if (start_sec != asf->last_indexed_pts / 1000) { for (i = asf->nb_index_count; i < start_sec; i++) { if (i >= asf->nb_index_memory_alloc) {