aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/iff.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2013-03-05 01:35:28 +0100
committerMichael Niedermayer <michaelni@gmx.at>2013-03-05 01:39:50 +0100
commit3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba (patch)
tree4066cb76702dcc7c65181c0d0c6422d496c9b0c6 /libavformat/iff.c
parent7992bdbeb4ba72a9d28e72acc2b3bc0d198401ec (diff)
downloadffmpeg-3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba.tar.gz
iff: fix integer overflow
Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/iff.c')
-rw-r--r--libavformat/iff.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c
index 348026a725..100d981cab 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -250,6 +250,8 @@ static int iff_read_header(AVFormatContext *s)
break;
case ID_CMAP:
+ if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR_INVALIDDATA;
st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE;
st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
if (!st->codec->extradata)
@@ -410,6 +412,7 @@ static int iff_read_header(AVFormatContext *s)
if (!st->codec->extradata)
return AVERROR(ENOMEM);
}
+ av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE);
buf = st->codec->extradata;
bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE);
bytestream_put_byte(&buf, iff->bitmap_compression);