# HG changeset patch
# User reimar
# Date 1252948518 0
# Node ID 092a527cabc88929a184e23c8739c947acdc11f5
# Parent  951c95954c9c6cacadf543df73db83fc93507f4e
Extend check for integer overflow for malloc argument to take into account
also the addition of "sound_buffers" not only the multiplication.

diff -r 951c95954c9c -r 092a527cabc8 sierravmd.c
--- a/sierravmd.c	Mon Sep 14 17:05:13 2009 +0000
+++ b/sierravmd.c	Mon Sep 14 17:15:18 2009 +0000
@@ -154,7 +154,7 @@
     vmd->frame_table = NULL;
     sound_buffers = AV_RL16(&vmd->vmd_header[808]);
     raw_frame_table_size = vmd->frame_count * 6;
-    if(vmd->frame_count * vmd->frames_per_block  >= UINT_MAX / sizeof(vmd_frame)){
+    if(vmd->frame_count * vmd->frames_per_block  >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){
         av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
         return -1;
     }