diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-03-05 01:35:28 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-03-05 01:39:50 +0100 |
commit | 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba (patch) | |
tree | 4066cb76702dcc7c65181c0d0c6422d496c9b0c6 /libavformat/iff.c | |
parent | 7992bdbeb4ba72a9d28e72acc2b3bc0d198401ec (diff) | |
download | ffmpeg-3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba.tar.gz |
iff: fix integer overflow
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/iff.c')
-rw-r--r-- | libavformat/iff.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/iff.c b/libavformat/iff.c index 348026a725..100d981cab 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -250,6 +250,8 @@ static int iff_read_header(AVFormatContext *s) break; case ID_CMAP: + if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE; st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); if (!st->codec->extradata) @@ -410,6 +412,7 @@ static int iff_read_header(AVFormatContext *s) if (!st->codec->extradata) return AVERROR(ENOMEM); } + av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE); buf = st->codec->extradata; bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE); bytestream_put_byte(&buf, iff->bitmap_compression); |