[FFmpeg-cvslog] idcin: check for integer overflow when calling av_get_packet()
Justin Ruggles
git at videolan.org
Thu Jan 10 12:56:28 CET 2013
ffmpeg | branch: master | Justin Ruggles <justin.ruggles at gmail.com> | Wed Aug 1 16:10:08 2012 -0400| [33f58c3616d2870d3861da68217ef9d05cc5047a] | committer: Justin Ruggles
idcin: check for integer overflow when calling av_get_packet()
chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the
packet size.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33f58c3616d2870d3861da68217ef9d05cc5047a
---
libavformat/idcin.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavformat/idcin.c b/libavformat/idcin.c
index 7a0042b..93ba721 100644
--- a/libavformat/idcin.c
+++ b/libavformat/idcin.c
@@ -278,6 +278,10 @@ static int idcin_read_packet(AVFormatContext *s,
}
chunk_size = avio_rl32(pb);
+ if (chunk_size < 4 || chunk_size > INT_MAX - 4) {
+ av_log(s, AV_LOG_ERROR, "invalid chunk size: %u\n", chunk_size);
+ return AVERROR_INVALIDDATA;
+ }
/* skip the number of decoded bytes (always equal to width * height) */
avio_skip(pb, 4);
chunk_size -= 4;
More information about the ffmpeg-cvslog
mailing list