Mercurial > libavformat.hg

diff avidec.c @ 639:0b52743104ac libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
integer overflows, heap corruption possible arbitrary code execution cannot be ruled out in some cases precautionary checks
author michael
date Sat, 08 Jan 2005 14:21:33 +0000
parents d3baee10d526
children 25825079f833
line wrap: on
line diff
--- a/avidec.c	Thu Jan 06 00:54:03 2005 +0000
+++ b/avidec.c	Sat Jan 08 14:21:33 2005 +0000
@@ -302,9 +302,11 @@
                     get_le32(pb); /* ClrUsed */
                     get_le32(pb); /* ClrImportant */
 
+                 if(size > 10*4 && size<(1<<30)){
                     st->codec.extradata_size= size - 10*4;
                     st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
                     get_buffer(pb, st->codec.extradata, st->codec.extradata_size);
+                 }
                     
                     if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly
                         get_byte(pb);
@@ -549,6 +551,8 @@
     nb_index_entries = size / 16;
     if (nb_index_entries <= 0)
         return -1;
+    if(nb_index_entries + 1 >= UINT_MAX / sizeof(AVIIndexEntry))
+        return -1;
 
     /* read the entries and sort them in each stream component */
     for(i = 0; i < nb_index_entries; i++) {