avformat/asfdec_o: Check size_bmp more fully

Fixes: integer overflow and out of array access Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7 Found-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869) Signed-off-by: James Almer <jamrial@gmail.com>
author: Michael Niedermayer <michael@niedermayer.cc> 2018-07-03 21:01:23 +0200
committer: James Almer <jamrial@gmail.com> 2018-08-08 01:37:20 -0300
commit: 67149cb2f68e3e96cd75804d83827ccd03386695 (patch)
tree: 0d17b21856189b8707dc921809f1623b52151f3b
parent: 32e8eed1ae5fe694c070dacfa517295be786dfbe (diff)
download: ffmpeg-67149cb2f68e3e96cd75804d83827ccd03386695.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 593c010204..3f43fd1b47 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -704,7 +704,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
     st->codecpar->codec_id  = ff_codec_get_id(ff_codec_bmp_tags, tag);
     size_bmp = FFMAX(size_asf, size_bmp);
 
-    if (size_bmp > BMP_HEADER_SIZE) {
+    if (size_bmp > BMP_HEADER_SIZE &&
+        size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
         int ret;
         st->codecpar->extradata_size  = size_bmp - BMP_HEADER_SIZE;
         if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +
author	Michael Niedermayer <michael@niedermayer.cc>	2018-07-03 21:01:23 +0200
committer	James Almer <jamrial@gmail.com>	2018-08-08 01:37:20 -0300
commit	67149cb2f68e3e96cd75804d83827ccd03386695 (patch)
tree	0d17b21856189b8707dc921809f1623b52151f3b
parent	32e8eed1ae5fe694c070dacfa517295be786dfbe (diff)
download	ffmpeg-67149cb2f68e3e96cd75804d83827ccd03386695.tar.gz