Mercurial > libavformat.hg

diff wc3movie.c @ 643:253b5292946a libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
various security fixes and precautionary checks
author michael
date Wed, 12 Jan 2005 00:16:25 +0000
parents 0b52743104ac
children c5077fdab490
line wrap: on
line diff
--- a/wc3movie.c	Tue Jan 11 08:16:04 2005 +0000
+++ b/wc3movie.c	Wed Jan 12 00:16:25 2005 +0000
@@ -169,14 +169,16 @@
             if ((ret = get_buffer(pb, preamble, 4)) != 4)
                 return AVERROR_IO;
             wc3->palette_count = LE_32(&preamble[0]);
-            if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE)
+            if((unsigned)wc3->palette_count >= UINT_MAX / PALETTE_SIZE){
+                wc3->palette_count= 0;
                 return -1;
+            }
             wc3->palettes = av_malloc(wc3->palette_count * PALETTE_SIZE);
             break;
 
         case BNAM_TAG:
             /* load up the name */
-            if (size < 512)
+            if ((unsigned)size < 512)
                 bytes_to_read = size;
             else
                 bytes_to_read = 512;
@@ -195,7 +197,7 @@
 
         case PALT_TAG:
             /* one of several palettes */
-            if (current_palette >= wc3->palette_count)
+            if ((unsigned)current_palette >= wc3->palette_count)
                 return AVERROR_INVALIDDATA;
             if ((ret = get_buffer(pb, 
                 &wc3->palettes[current_palette * PALETTE_SIZE], 
@@ -331,7 +333,7 @@
 #if 0
             url_fseek(pb, size, SEEK_CUR);
 #else
-            if ((ret = get_buffer(pb, text, size)) != size)
+            if ((unsigned)size > sizeof(text) || (ret = get_buffer(pb, text, size)) != size)
                 ret = AVERROR_IO;
             else {
                 int i = 0;