Mercurial > libavformat.hg

comparison avidec.c @ 639:0b52743104ac libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
integer overflows, heap corruption possible arbitrary code execution cannot be ruled out in some cases precautionary checks
author michael
date Sat, 08 Jan 2005 14:21:33 +0000
parents d3baee10d526
children 25825079f833
comparison
equal deleted inserted replaced
638:5188094c6ec4 639:0b52743104ac
300 get_le32(pb); /* XPelsPerMeter */ 300 get_le32(pb); /* XPelsPerMeter */
301 get_le32(pb); /* YPelsPerMeter */ 301 get_le32(pb); /* YPelsPerMeter */
302 get_le32(pb); /* ClrUsed */ 302 get_le32(pb); /* ClrUsed */
303 get_le32(pb); /* ClrImportant */ 303 get_le32(pb); /* ClrImportant */
304 304
305 if(size > 10*4 && size<(1<<30)){
305 st->codec.extradata_size= size - 10*4; 306 st->codec.extradata_size= size - 10*4;
306 st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); 307 st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
307 get_buffer(pb, st->codec.extradata, st->codec.extradata_size); 308 get_buffer(pb, st->codec.extradata, st->codec.extradata_size);
309 }
308 310
309 if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly 311 if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly
310 get_byte(pb); 312 get_byte(pb);
311 313
312 /* Extract palette from extradata if bpp <= 8 */ 314 /* Extract palette from extradata if bpp <= 8 */
547 unsigned int index, tag, flags, pos, len; 549 unsigned int index, tag, flags, pos, len;
548 550
549 nb_index_entries = size / 16; 551 nb_index_entries = size / 16;
550 if (nb_index_entries <= 0) 552 if (nb_index_entries <= 0)
551 return -1; 553 return -1;
554 if(nb_index_entries + 1 >= UINT_MAX / sizeof(AVIIndexEntry))
555 return -1;
552 556
553 /* read the entries and sort them in each stream component */ 557 /* read the entries and sort them in each stream component */
554 for(i = 0; i < nb_index_entries; i++) { 558 for(i = 0; i < nb_index_entries; i++) {
555 tag = get_le32(pb); 559 tag = get_le32(pb);
556 flags = get_le32(pb); 560 flags = get_le32(pb);