diff options
author | 李赞 <lizan@ruc.edu.cn> | 2017-05-10 14:55:34 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-17 20:35:20 +0200 |
commit | 00e8a7adf4afb350c1b4556d7d2b66412713c463 (patch) | |
tree | 2c3e164ca7a3e238ba1a42b4b12a454fdf00aebd | |
parent | 742ccace7c3516d2fc23618136e14390a3557af1 (diff) | |
download | ffmpeg-00e8a7adf4afb350c1b4556d7d2b66412713c463.tar.gz |
avformat/wavdec: Check chunk_size
Fixes integer overflow and out of array access
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d232196372f309a75ed074c4cef30578eec1782)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavformat/wavdec.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index d95596f6ed..a9ba03f557 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -804,6 +804,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) |