integer overflows, heap corruption

possible arbitrary code execution cannot be ruled out in some cases precautionary checks Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2005-01-08 14:21:33 +0000
commit: 568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree: 18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/segafilm.c
parent: 934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download: ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index 9e94de103c..3f752a1d9b 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -171,6 +171,8 @@ static int film_read_header(AVFormatContext *s,
         return AVERROR_INVALIDDATA;
     film->base_clock = BE_32(&scratch[8]);
     film->sample_count = BE_32(&scratch[12]);
+    if(film->sample_count >= UINT_MAX / sizeof(film_sample_t))
+        return -1;
     film->sample_table = av_malloc(film->sample_count * sizeof(film_sample_t));
     
     for(i=0; i<s->nb_streams; i++)
author	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2005-01-08 14:21:33 +0000
commit	568e18b15e2ddf494fd8926707d34ca08c8edce5 (patch)
tree	18f59992848e24c529a01bd98aed66af3762b2d1 /libavformat/segafilm.c
parent	934b0821dbb8fb33b2736fe4aab09fc2b6cc8ccc (diff)
download	ffmpeg-568e18b15e2ddf494fd8926707d34ca08c8edce5.tar.gz