Merge commit '0ef1660a6365ce60ead8858936b6f3f8ea862826'

* commit '0ef1660a6365ce60ead8858936b6f3f8ea862826': sierravmd: Do sanity checking of frame sizes Conflicts: libavformat/sierravmd.c See: 47c4713a23d271eedd2eb2c02daa70cb0ea4e0ac Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-09-16 12:32:24 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-09-16 12:32:24 +0200
commit: cfa909ef5b7e0320f75cca10d932631fb03b49af (patch)
tree: e3ad2ea6deac02715bc7640108d0e40825184677 /libavformat/sierravmd.c
parent: a444ddff03861b092558aa0b1b38b218fc636aaa (diff)
parent: 0ef1660a6365ce60ead8858936b6f3f8ea862826 (diff)
download: ffmpeg-cfa909ef5b7e0320f75cca10d932631fb03b49af.tar.gz
1 files changed, 16 insertions, 7 deletions
diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c
index 059945dc0f..9366a8f5dc 100644
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -91,7 +91,8 @@ static int vmd_read_header(AVFormatContext *s)
     unsigned char *raw_frame_table;
     int raw_frame_table_size;
     int64_t current_offset;
-    int i, j, width, height;
+    int i, j, ret;
+    int width, height;
     unsigned int total_frames;
     int64_t current_audio_pts = 0;
     unsigned char chunk[BYTES_PER_FRAME_RECORD];
@@ -186,15 +187,13 @@ static int vmd_read_header(AVFormatContext *s)
     raw_frame_table = av_malloc(raw_frame_table_size);
     vmd->frame_table = av_malloc((vmd->frame_count * vmd->frames_per_block + sound_buffers) * sizeof(vmd_frame));
     if (!raw_frame_table || !vmd->frame_table) {
-        av_free(raw_frame_table);
-        av_free(vmd->frame_table);
-        return AVERROR(ENOMEM);
+        ret = AVERROR(ENOMEM);
+        goto error;
     }
     if (avio_read(pb, raw_frame_table, raw_frame_table_size) !=
         raw_frame_table_size) {
-        av_free(raw_frame_table);
-        av_free(vmd->frame_table);
-        return AVERROR(EIO);
+        ret = AVERROR(EIO);
+        goto error;
     }
 
     total_frames = 0;
@@ -210,6 +209,11 @@ static int vmd_read_header(AVFormatContext *s)
             avio_read(pb, chunk, BYTES_PER_FRAME_RECORD);
             type = chunk[0];
             size = AV_RL32(&chunk[2]);
+            if (size > INT_MAX / 2) {
+                av_log(s, AV_LOG_ERROR, "Invalid frame size\n");
+                ret = AVERROR_INVALIDDATA;
+                goto error;
+            }
             if(!size && type != 1)
                 continue;
             switch(type) {
@@ -246,6 +250,11 @@ static int vmd_read_header(AVFormatContext *s)
     vmd->frame_count = total_frames;
 
     return 0;
+
+error:
+    av_free(raw_frame_table);
+    av_free(vmd->frame_table);
+    return ret;
 }
 
 static int vmd_read_packet(AVFormatContext *s,
author	Michael Niedermayer <michaelni@gmx.at>	2013-09-16 12:32:24 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-09-16 12:32:24 +0200
commit	cfa909ef5b7e0320f75cca10d932631fb03b49af (patch)
tree	e3ad2ea6deac02715bc7640108d0e40825184677 /libavformat/sierravmd.c
parent	a444ddff03861b092558aa0b1b38b218fc636aaa (diff)
parent	0ef1660a6365ce60ead8858936b6f3f8ea862826 (diff)
download	ffmpeg-cfa909ef5b7e0320f75cca10d932631fb03b49af.tar.gz