Mercurial > libavformat.hg
comparison 4xm.c @ 639:0b52743104ac libavformat
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
| author | michael |
|---|---|
| date | Sat, 08 Jan 2005 14:21:33 +0000 |
| parents | 0fdc96c2f2fe |
| children | 253b5292946a |
comparison
equal
deleted
inserted
replaced
| 638:5188094c6ec4 | 639:0b52743104ac |
|---|---|
| 183 return AVERROR_INVALIDDATA; | 183 return AVERROR_INVALIDDATA; |
| 184 } | 184 } |
| 185 current_track = LE_32(&header[i + 8]); | 185 current_track = LE_32(&header[i + 8]); |
| 186 if (current_track + 1 > fourxm->track_count) { | 186 if (current_track + 1 > fourxm->track_count) { |
| 187 fourxm->track_count = current_track + 1; | 187 fourxm->track_count = current_track + 1; |
| 188 if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)) | |
| 189 return -1; | |
| 188 fourxm->tracks = av_realloc(fourxm->tracks, | 190 fourxm->tracks = av_realloc(fourxm->tracks, |
| 189 fourxm->track_count * sizeof(AudioTrack)); | 191 fourxm->track_count * sizeof(AudioTrack)); |
| 190 if (!fourxm->tracks) { | 192 if (!fourxm->tracks) { |
| 191 av_free(header); | 193 av_free(header); |
| 192 return AVERROR_NOMEM; | 194 return AVERROR_NOMEM; |