Module: libav Branch: release/0.7 Commit: fed7f5b04f0ddde81fe1de1af725a63461a31f6f
Author: Michael Niedermayer <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Sat Sep 24 18:57:31 2011 +0300 flvdec: Check for overflow before allocating arrays On allocation, the array length is multiplied by sizeof(int64_t), this prevents the multiplication from overflowing. Signed-off-by: Martin Storsjö <[email protected]> (cherry picked from commit a246cefa75aed2ade315d6d09068aacb6b0fe76b) Signed-off-by: Reinhard Tartler <[email protected]> --- libavformat/flvdec.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c6b386e..5f442f7 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -147,6 +147,9 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream break; arraylen = avio_rb32(ioc); + if (arraylen >> 28) + break; + /* * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata * for indexing _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
