mpc8: check seektable size before attempting to use it.

Fixes null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-12-02 04:21:42 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-12-02 04:21:42 +0100
commit: b61ba262a1e275f8129b7383d70fe48051b47fcf (patch)
tree: 31d72b32999bc7ce0f2f78e010f9f3ffd25a61f0 /libavformat/mpc8.c
parent: ff7e2342bbc96ebc0fc51c19ee212ad160f83216 (diff)
download: ffmpeg-b61ba262a1e275f8129b7383d70fe48051b47fcf.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 56ed7ade13..191f6963de 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
         av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
         return;
     }
+    if (size > INT_MAX/10 || size<=0) {
+        av_log(s, AV_LOG_ERROR, "Seek table size is invalid\n");
+        return;
+    }
     if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
         return;
     avio_read(s->pb, buf, size);
author	Michael Niedermayer <michaelni@gmx.at>	2012-12-02 04:21:42 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-12-02 04:21:42 +0100
commit	b61ba262a1e275f8129b7383d70fe48051b47fcf (patch)
tree	31d72b32999bc7ce0f2f78e010f9f3ffd25a61f0 /libavformat/mpc8.c
parent	ff7e2342bbc96ebc0fc51c19ee212ad160f83216 (diff)
download	ffmpeg-b61ba262a1e275f8129b7383d70fe48051b47fcf.tar.gz