integer overflows, heap corruption

possible arbitrary code execution cannot be ruled out in some cases precautionary checks Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
commit: 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree: 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/gifdec.c
parent: 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download: ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavformat/gifdec.c b/libavformat/gifdec.c
index 133ce1718e..4ee295de7b 100644
--- a/libavformat/gifdec.c
+++ b/libavformat/gifdec.c
@@ -474,6 +474,12 @@ static int gif_read_header1(GifState *s)
     s->transparent_color_index = -1;
     s->screen_width = get_le16(f);
     s->screen_height = get_le16(f);
+    if(   (unsigned)s->screen_width  > 32767 
+       || (unsigned)s->screen_height > 32767){
+        av_log(NULL, AV_LOG_ERROR, "picture size too large\n");
+        return -1;
+    } 
+
     v = get_byte(f);
     s->color_resolution = ((v & 0x70) >> 4) + 1;
     has_global_palette = (v & 0x80);
author	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
commit	568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree	18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/gifdec.c
parent	934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download	ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz