integer overflows, heap corruption

possible arbitrary code execution cannot be ruled out in some cases precautionary checks Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
commit: 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree: 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/sgi.c
parent: 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download: ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/sgi.c b/libavformat/sgi.c
index 13ca98e925..bbf700bc4f 100644
--- a/libavformat/sgi.c
+++ b/libavformat/sgi.c
@@ -65,6 +65,9 @@ static void read_sgi_header(ByteIOContext *f, SGIInfo *info)
     info->xsize = (unsigned short) get_be16(f);
     info->ysize = (unsigned short) get_be16(f);
     info->zsize = (unsigned short) get_be16(f);
+    
+    if(info->zsize > 4096) 
+        info->zsize= 0;
 
 #ifdef DEBUG
     printf("sgi header fields:\n");
author	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
commit	568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree	18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/sgi.c
parent	934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download	ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz