diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2008-05-03 21:01:47 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2008-05-03 21:01:47 +0000 |
commit | 494e353179a138b254630f3a208df3aa639d258f (patch) | |
tree | 7864dd60c66adc48e1172329d93b926620d38605 /libavcodec/alac.c | |
parent | 83e9a67d7c76b12ca614709f451a2a175cd48721 (diff) | |
download | ffmpeg-494e353179a138b254630f3a208df3aa639d258f.tar.gz |
Heap buffer overflow.
Originally committed as revision 13051 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/alac.c')
-rw-r--r-- | libavcodec/alac.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 9fbba9544a..c5a9b767c8 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -405,7 +405,7 @@ static int alac_decode_frame(AVCodecContext *avctx, ALACContext *alac = avctx->priv_data; int channels; - int32_t outputsamples; + unsigned int outputsamples; int hassize; int readsamplesize; int wasted_bytes; @@ -458,6 +458,10 @@ static int alac_decode_frame(AVCodecContext *avctx, if (hassize) { /* now read the number of samples as a 32bit integer */ outputsamples = get_bits(&alac->gb, 32); + if(outputsamples > alac->setinfo_max_samples_per_frame){ + av_log(avctx, AV_LOG_ERROR, "outputsamples %d > %d\n", outputsamples, alac->setinfo_max_samples_per_frame); + return -1; + } } else outputsamples = alac->setinfo_max_samples_per_frame; |