Mercurial > libavformat.hg

changeset 669:ed7ed3588399 libavformat

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fixing an integer overflow, which could lead to overwriting the end of a malloced buffer by 8 bytes
author michael
date Fri, 04 Feb 2005 18:58:59 +0000
parents 9a6a30f512b2
children 856b151f926a
files sierravmd.c
diffstat 1 files changed, 2 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/sierravmd.c	Fri Feb 04 11:26:40 2005 +0000
+++ b/sierravmd.c	Fri Feb 04 18:58:59 2005 +0000
@@ -212,7 +212,8 @@
 
         /* if the frame size is 0, do not count the frame and bring the
          * total frame count down */
-        vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]);
+        // note, we limit the size to 1Gb to ensure that we dont end up overflowing the size integer used to allocate the memory
+        vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]) & 0x3FFFFFFF; 
 
         /* this logic is present so that 0-length audio chunks are not
          * accounted */