diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-03-05 01:35:28 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-03-20 19:59:47 +0100 |
| commit | 31f337c1e44ebe53e4e23b24aa6c2a62f6862236 (patch) | |
| tree | 9d4420ae4d3f98ae47f85945d96da99ab420307e | |
| parent | f84ddb0c0fbb7f1c0ff34418426840f6ea79448e (diff) | |
| download | ffmpeg-31f337c1e44ebe53e4e23b24aa6c2a62f6862236.tar.gz | |
iff: fix integer overflow
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/iff.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c index 0055283b0e..b207990fc6 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -201,6 +201,8 @@ static int iff_read_header(AVFormatContext *s) break; case ID_CMAP: + if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE; st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); if (!st->codec->extradata) @@ -323,6 +325,7 @@ static int iff_read_header(AVFormatContext *s) if (!st->codec->extradata) return AVERROR(ENOMEM); } + av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE); buf = st->codec->extradata; bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE); bytestream_put_byte(&buf, iff->bitmap_compression); |