[libav-devel] [PATCH 08/10] idcin: check for integer overflow when calling av_get_packet()

Justin Ruggles Wed, 01 Aug 2012 14:36:26 -0700

chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the
packet size.
---
 libavformat/idcin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)


diff --git a/libavformat/idcin.c b/libavformat/idcin.c
index 67915e6..2d506ff 100644
--- a/libavformat/idcin.c
+++ b/libavformat/idcin.c
@@ -282,6 +282,10 @@ static int idcin_read_packet(AVFormatContext *s,
         /* skip the number of decoded bytes (always equal to width * height) */
         avio_skip(pb, 4);
         chunk_size -= 4;
+        if (chunk_size > INT_MAX) {
+            av_log(s, AV_LOG_ERROR, "chunk size is too large: %u\n", 
chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
         ret= av_get_packet(pb, pkt, chunk_size);
         if (ret < 0)
             return ret;
-- 
1.7.1

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 08/10] idcin: check for integer overflow when calling av_get_packet()

Reply via email to