diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-11-10 17:41:56 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-12-03 20:45:18 +0100 |
| commit | c8c9740ee1ea4a4f857a24b1ce05dcd07b72ec2d (patch) | |
| tree | 1561c776e7ecd6223c27a6164716310c01e3a19c | |
| parent | e0884eadf6a15e93142131b695f48776f9a0ac31 (diff) | |
| download | ffmpeg-c8c9740ee1ea4a4f857a24b1ce05dcd07b72ec2d.tar.gz | |
alac: fix integer overflow leading to subsequent out of array accesses.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3920d1387834e2bc334aff9f518f4beb24e470bd)
| -rw-r--r-- | libavcodec/alac.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/alac.c b/libavcodec/alac.c index e8e844aede..6e72bb6a6f 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -542,7 +542,11 @@ static av_cold int alac_decode_close(AVCodecContext *avctx) static int allocate_buffers(ALACContext *alac) { int ch; - int buf_size = alac->max_samples_per_frame * sizeof(int32_t); + int buf_size; + + if (alac->max_samples_per_frame > INT_MAX / sizeof(int32_t)) + goto buf_alloc_fail; + buf_size = alac->max_samples_per_frame * sizeof(int32_t); for (ch = 0; ch < FFMIN(alac->channels, 2); ch++) { FF_ALLOC_OR_GOTO(alac->avctx, alac->predict_error_buffer[ch], |