[FFmpeg-cvslog] avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()

Michael Niedermayer git at videolan.org
Sun Dec 4 22:12:56 EET 2016


ffmpeg | branch: release/3.0 | Michael Niedermayer <michael at niedermayer.cc> | Fri Oct 21 19:45:21 2016 +0200| [bab7d72d46458061065a41536611793b9a53fa5a] | committer: Michael Niedermayer

avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit fecb3e82a4ba09dc11a51ad0961ab491881a53a1)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bab7d72d46458061065a41536611793b9a53fa5a
---

 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index f214b36..173a769 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -826,7 +826,7 @@ static inline int mxf_read_utf16_string(AVIOContext *pb, int size, char** str, i
     int ret;
     size_t buf_size;
 
-    if (size < 0)
+    if (size < 0 || size > INT_MAX/2)
         return AVERROR(EINVAL);
 
     buf_size = size + size / 2 + 1;



More information about the ffmpeg-cvslog mailing list