diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2005-01-08 14:21:33 +0000 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2005-01-08 14:21:33 +0000 |
| commit | 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch) | |
| tree | 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/gifdec.c | |
| parent | 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff) | |
| download | ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz | |
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/gifdec.c')
| -rw-r--r-- | libavformat/gifdec.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/gifdec.c b/libavformat/gifdec.c index 133ce1718e..4ee295de7b 100644 --- a/libavformat/gifdec.c +++ b/libavformat/gifdec.c @@ -474,6 +474,12 @@ static int gif_read_header1(GifState *s) s->transparent_color_index = -1; s->screen_width = get_le16(f); s->screen_height = get_le16(f); + if( (unsigned)s->screen_width > 32767 + || (unsigned)s->screen_height > 32767){ + av_log(NULL, AV_LOG_ERROR, "picture size too large\n"); + return -1; + } + v = get_byte(f); s->color_resolution = ((v & 0x70) >> 4) + 1; has_global_palette = (v & 0x80); |