aboutsummaryrefslogtreecommitdiff
path: root/libavformat/avidec.c
diff options
context:
space:
mode:
authorMichael Niedermayer2005-01-08 14:21:33 +0000
committerMichael Niedermayer2005-01-08 14:21:33 +0000
commit568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/avidec.c
parent934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
integer overflows, heap corruption
possible arbitrary code execution cannot be ruled out in some cases precautionary checks Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavformat/avidec.c')
-rw-r--r--libavformat/avidec.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index fa33101106..060d3b926d 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -302,9 +302,11 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
get_le32(pb); /* ClrUsed */
get_le32(pb); /* ClrImportant */
+ if(size > 10*4 && size<(1<<30)){
st->codec.extradata_size= size - 10*4;
st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
get_buffer(pb, st->codec.extradata, st->codec.extradata_size);
+ }
if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly
get_byte(pb);
@@ -549,6 +551,8 @@ static int avi_read_idx1(AVFormatContext *s, int size)
nb_index_entries = size / 16;
if (nb_index_entries <= 0)
return -1;
+ if(nb_index_entries + 1 >= UINT_MAX / sizeof(AVIIndexEntry))
+ return -1;
/* read the entries and sort them in each stream component */
for(i = 0; i < nb_index_entries; i++) {