Mercurial > libavformat.hg
comparison ogg.c @ 639:0b52743104ac libavformat
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
| author | michael |
|---|---|
| date | Sat, 08 Jan 2005 14:21:33 +0000 |
| parents | fe24632a577b |
| children | 17178af951b4 |
comparison
equal
deleted
inserted
replaced
| 638:5188094c6ec4 | 639:0b52743104ac |
|---|---|
| 193 codec->codec_id = CODEC_ID_VORBIS; | 193 codec->codec_id = CODEC_ID_VORBIS; |
| 194 for(i=0; i<3; i++){ | 194 for(i=0; i<3; i++){ |
| 195 if(next_packet(avfcontext, &op)){ | 195 if(next_packet(avfcontext, &op)){ |
| 196 return -1; | 196 return -1; |
| 197 } | 197 } |
| 198 if(op.bytes >= (1<<16) || op.bytes < 0) | |
| 199 return -1; | |
| 198 codec->extradata_size+= 2 + op.bytes; | 200 codec->extradata_size+= 2 + op.bytes; |
| 199 codec->extradata= av_realloc(codec->extradata, codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); | 201 codec->extradata= av_realloc(codec->extradata, codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); |
| 200 p= codec->extradata + codec->extradata_size - 2 - op.bytes; | 202 p= codec->extradata + codec->extradata_size - 2 - op.bytes; |
| 201 *(p++)= op.bytes>>8; | 203 *(p++)= op.bytes>>8; |
| 202 *(p++)= op.bytes&0xFF; | 204 *(p++)= op.bytes&0xFF; |