diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-08-09 13:23:10 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-08-09 13:53:27 +0200 |
| commit | 50f9c4acc3ea82a159713151e39f0f70c79aaf71 (patch) | |
| tree | 6c812e636b0373bb022a34dc7c4ce5d63081c16f | |
| parent | 211374e52a933a2b3f21a4d6e66e9f1b0623e44e (diff) | |
| download | ffmpeg-50f9c4acc3ea82a159713151e39f0f70c79aaf71.tar.gz | |
avformat/paf: Fix integer overflow and out of array read
Found-by: Laurent Butti <laurentb@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f58cd2867a8af2eed13acdd21d067b48249b14a1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/paf.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/libavformat/paf.c b/libavformat/paf.c index 09786eb34f..09aefe6770 100644 --- a/libavformat/paf.c +++ b/libavformat/paf.c @@ -233,10 +233,11 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) p->current_frame_block++; } - size = p->video_size - p->frames_offset_table[p->current_frame]; - if (size < 1) + if (p->frames_offset_table[p->current_frame] >= p->video_size) return AVERROR_INVALIDDATA; + size = p->video_size - p->frames_offset_table[p->current_frame]; + if (av_new_packet(pkt, size) < 0) return AVERROR(ENOMEM); |