# HG changeset patch
# User reimar
# Date 1396811281 0
# Node ID 50ba718698eaac11eb31722f805d78bbbced058e
# Parent  43a8e37a3dcf755d6d5c0d4c700cb3a4abc9e0ee
xvid_vbr: Sanity-check parsed variable before using it to malloc.

diff -r 43a8e37a3dcf -r 50ba718698ea xvid_vbr.c
--- a/xvid_vbr.c	Sun Apr 06 18:53:46 2014 +0000
+++ b/xvid_vbr.c	Sun Apr 06 19:08:01 2014 +0000
@@ -703,7 +703,9 @@
 	fscanf(state->pass1_file, "# keyframes : %d\n", &state->nb_keyframes);
 
 	/* Allocate memory space for the keyframe_location array */
-	if((state->keyframe_locations
+	if(state->nb_keyframes < 0 ||
+           state->nb_keyframes >= 0x7fffffff / sizeof(int) ||
+           (state->keyframe_locations
 	    = malloc((state->nb_keyframes+1)*sizeof(int))) == NULL) {
 		fclose(state->pass1_file);
 		state->pass1_file = NULL;