diff options
| author | Justin Ruggles <justin.ruggles@gmail.com> | 2012-08-01 16:10:08 -0400 |
|---|---|---|
| committer | Justin Ruggles <justin.ruggles@gmail.com> | 2013-01-09 14:49:06 -0500 |
| commit | 33f58c3616d2870d3861da68217ef9d05cc5047a (patch) | |
| tree | c8ce3602372a36786691f0270ad1b36444fa6e45 /libavformat/idcin.c | |
| parent | 7040e479a1530b2eda4b89a182d5eb50a77bd907 (diff) | |
| download | ffmpeg-33f58c3616d2870d3861da68217ef9d05cc5047a.tar.gz | |
idcin: check for integer overflow when calling av_get_packet()
chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the
packet size.
Diffstat (limited to 'libavformat/idcin.c')
| -rw-r--r-- | libavformat/idcin.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavformat/idcin.c b/libavformat/idcin.c index 7a0042b4a1..93ba721d11 100644 --- a/libavformat/idcin.c +++ b/libavformat/idcin.c @@ -278,6 +278,10 @@ static int idcin_read_packet(AVFormatContext *s, } chunk_size = avio_rl32(pb); + if (chunk_size < 4 || chunk_size > INT_MAX - 4) { + av_log(s, AV_LOG_ERROR, "invalid chunk size: %u\n", chunk_size); + return AVERROR_INVALIDDATA; + } /* skip the number of decoded bytes (always equal to width * height) */ avio_skip(pb, 4); chunk_size -= 4; |