integer overflows, heap corruption

possible arbitrary code execution cannot be ruled out in some cases precautionary checks Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
commit: 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree: 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/wc3movie.c
parent: 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download: ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c
index 15130d97cd..b5f5c35adf 100644
--- a/libavformat/wc3movie.c
+++ b/libavformat/wc3movie.c
@@ -169,6 +169,8 @@ static int wc3_read_header(AVFormatContext *s,
             if ((ret = get_buffer(pb, preamble, 4)) != 4)
                 return AVERROR_IO;
             wc3->palette_count = LE_32(&preamble[0]);
+            if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE)
+                return -1;
             wc3->palettes = av_malloc(wc3->palette_count * PALETTE_SIZE);
             break;
author	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
commit	568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree	18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/wc3movie.c
parent	934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download	ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz