[FFmpeg-cvslog] iff: fix integer overflow
Michael Niedermayer
git at videolan.org
Wed Mar 20 21:02:58 CET 2013
ffmpeg | branch: release/1.0 | Michael Niedermayer <michaelni at gmx.at> | Tue Mar 5 01:35:28 2013 +0100| [31f337c1e44ebe53e4e23b24aa6c2a62f6862236] | committer: Michael Niedermayer
iff: fix integer overflow
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=31f337c1e44ebe53e4e23b24aa6c2a62f6862236
---
libavformat/iff.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/iff.c b/libavformat/iff.c
index 0055283..b207990 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -201,6 +201,8 @@ static int iff_read_header(AVFormatContext *s)
break;
case ID_CMAP:
+ if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR_INVALIDDATA;
st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE;
st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
if (!st->codec->extradata)
@@ -323,6 +325,7 @@ static int iff_read_header(AVFormatContext *s)
if (!st->codec->extradata)
return AVERROR(ENOMEM);
}
+ av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE);
buf = st->codec->extradata;
bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE);
bytestream_put_byte(&buf, iff->bitmap_compression);
More information about the ffmpeg-cvslog
mailing list