Mercurial > libavcodec.hg

diff shorten.c @ 3303:68721b62a528 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
sanity checks, some might have been exploitable ...
author michael
date Sat, 13 May 2006 10:45:26 +0000
parents 04b924f8f5a5
children c8c591fe26f8
line wrap: on
line diff
--- a/shorten.c	Thu May 11 23:17:23 2006 +0000
+++ b/shorten.c	Sat May 13 10:45:26 2006 +0000
@@ -106,18 +106,27 @@
     return 0;
 }
 
-static void allocate_buffers(ShortenContext *s)
+static int allocate_buffers(ShortenContext *s)
 {
     int i, chan;
     for (chan=0; chan<s->channels; chan++) {
+        if(FFMAX(1, s->nmean) >= UINT_MAX/sizeof(int32_t)){
+            av_log(s->avctx, AV_LOG_ERROR, "nmean too large\n");
+            return -1;
+        }
+        if(s->blocksize + s->nwrap >= UINT_MAX/sizeof(int32_t) || s->blocksize + s->nwrap <= (unsigned)s->nwrap){
+            av_log(s->avctx, AV_LOG_ERROR, "s->blocksize + s->nwrap too large\n");
+            return -1;
+        }
+
         s->offset[chan] = av_realloc(s->offset[chan], sizeof(int32_t)*FFMAX(1, s->nmean));
 
         s->decoded[chan] = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
         for (i=0; i<s->nwrap; i++)
             s->decoded[chan][i] = 0;
         s->decoded[chan] += s->nwrap;
-
     }
+    return 0;
 }