diff options
author | Michael Niedermayer | 2005-01-08 14:21:33 +0000 |
---|---|---|
committer | Michael Niedermayer | 2005-01-08 14:21:33 +0000 |
commit | 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch) | |
tree | 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/avidec.c | |
parent | 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff) |
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases
precautionary checks
Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/avidec.c')
-rw-r--r-- | libavformat/avidec.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/avidec.c b/libavformat/avidec.c index fa33101106..060d3b926d 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -302,9 +302,11 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap) get_le32(pb); /* ClrUsed */ get_le32(pb); /* ClrImportant */ + if(size > 10*4 && size<(1<<30)){ st->codec.extradata_size= size - 10*4; st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE); get_buffer(pb, st->codec.extradata, st->codec.extradata_size); + } if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly get_byte(pb); @@ -549,6 +551,8 @@ static int avi_read_idx1(AVFormatContext *s, int size) nb_index_entries = size / 16; if (nb_index_entries <= 0) return -1; + if(nb_index_entries + 1 >= UINT_MAX / sizeof(AVIIndexEntry)) + return -1; /* read the entries and sort them in each stream component */ for(i = 0; i < nb_index_entries; i++) { |