[FFmpeg-devel] [PATCH 3/3] avformat/utils: Fix potential integer overflow in extract_extradata()
James Almer
jamrial at gmail.com
Thu Sep 27 01:12:13 EEST 2018
On 9/26/2018 7:00 PM, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
> libavformat/utils.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libavformat/utils.c b/libavformat/utils.c
> index c1835b1ab5..3e99478ad9 100644
> --- a/libavformat/utils.c
> +++ b/libavformat/utils.c
> @@ -3544,7 +3544,9 @@ static int extract_extradata(AVStream *st, AVPacket *pkt)
> &extradata_size);
>
> if (extradata) {
> - avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
> + av_assert0(!avsti->avctx->extradata);
> + if ((unsigned)extradata_size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
> + avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
There's a FF_MAX_EXTRADATA_SIZE define in internal.h
> if (!avsti->avctx->extradata) {
> av_packet_unref(pkt_ref);
> return AVERROR(ENOMEM);
>
More information about the ffmpeg-devel
mailing list