From 9e35dd7c8f1c03b6bd4ca54710da38729c27f821 Mon Sep 17 00:00:00 2001 From: Jiyong Min Date: Thu, 23 Jun 2016 15:21:19 +0900 Subject: [PATCH] [CVE patch] CVE-2016-2636 in libav version 11.7 - asfenc: fix some possible integer overflows (CVE-2016-2326) Change-Id: I9904997efff6a91ed4c74d4135611c04a63e637f Signed-off-by: Jiyong Min --- libavformat/asfenc.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/libavformat/asfenc.c b/libavformat/asfenc.c index 4ae52bd..4cd1a4a 100644 --- a/libavformat/asfenc.c +++ b/libavformat/asfenc.c @@ -410,7 +410,7 @@ static int asf_write_header1(AVFormatContext *s, int64_t file_size, avio_wl64(pb, unix_to_file_time(file_time)); avio_wl64(pb, asf->nb_packets); /* number of packets */ avio_wl64(pb, play_duration); /* end time stamp (in 100ns units) */ - avio_wl64(pb, send->duration); /* duration (in 100ns units) */ + avio_wl64(pb, send_duration); /* duration (in 100ns units) */ avio_wl64(pb, PREROLL_TIME); /* start time stamp */ avio_wl32(pb, (asf->is_streamed || !pb->seekable) ? 3 : 2); /* ??? */ avio_wl32(pb, s->packet_size); /* packet size */ @@ -869,10 +869,6 @@ static int asf_write_packet(AVFormatContext *s, AVPacket *pkt) return AVERROR(ERANGE); start_sec = pts / 1000; - if (start_sec != asf->last_indexed_pts / 1000) { if (pts / 1000LL > INT_MAX) - return AVERROR(ERANGE); - - start_sec = pts / 1000; if (start_sec != asf->last_indexed_pts / 1000) { for (i = asf->nb_index_count; i < start_sec; i++) { if (i >= asf->nb_index_memory_alloc) { -- 2.7.4