diff options
author | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2011-07-30 11:45:15 +0200 |
---|---|---|
committer | Reimar Döffinger <Reimar.Doeffinger@gmx.de> | 2011-07-31 19:40:08 +0200 |
commit | b39f872a41b92a31589052c8f914c5b52f206fd0 (patch) | |
tree | a8d4ccbeba53a78f6a6a49dd7355e71e9e359e38 | |
parent | 8400607267458371398b0d3f170b6c0d9c688453 (diff) | |
download | ffmpeg-b39f872a41b92a31589052c8f914c5b52f206fd0.tar.gz |
Limit fsize before adding to pointer.
This avoids a theoretically possible pointer arithmetic overflow
which would lead to a crash due to reading from NULL page.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
-rw-r--r-- | libavformat/aacdec.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index ded11b6854..c3a5029260 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -47,6 +47,7 @@ static int adts_aac_probe(AVProbeData *p) fsize = (AV_RB32(buf2 + 3) >> 13) & 0x1FFF; if(fsize < 7) break; + fsize = FFMIN(fsize, end - buf2); buf2 += fsize; } max_frames = FFMAX(max_frames, frames); |