aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat
diff options
context:
space:
mode:
authorMartin Storsjö <martin@martin.st>2013-09-11 22:47:06 +0300
committerMartin Storsjö <martin@martin.st>2013-09-12 10:54:05 +0300
commit459f2b393a3f89ed08d10fbceb4738d1429f268e (patch)
treeb8b6dac8c463b3365e60207e8bb9ed3298b447ab /libavformat
parent0d61f260010707f3028b818e8b24598e1a83d696 (diff)
downloadffmpeg-459f2b393a3f89ed08d10fbceb4738d1429f268e.tar.gz
mpc8: Check the seek table size parsed from the bitstream
Limit the size to INT_MAX/2 (for simplicity) to be sure that size + FF_INPUT_BUFFER_PADDING_SIZE won't overflow. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st>
Diffstat (limited to 'libavformat')
-rw-r--r--libavformat/mpc8.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index c3c70e051e..29001b19f6 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -145,6 +145,10 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
av_log(s, AV_LOG_ERROR, "No seek table at given position\n");
return;
}
+ if (size < 0 || size >= INT_MAX / 2) {
+ av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
+ return;
+ }
if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
return;
avio_read(s->pb, buf, size);