On 08/04/2012 02:33 PM, Justin Ruggles wrote: > chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the > packet size. > --- > libavformat/idcin.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/libavformat/idcin.c b/libavformat/idcin.c > index 74875cb..8cd86d1 100644 > --- a/libavformat/idcin.c > +++ b/libavformat/idcin.c > @@ -278,6 +278,10 @@ static int idcin_read_packet(AVFormatContext *s, > } > > chunk_size = avio_rl32(pb); > + if (chunk_size < 4 || chunk_size > INT_MAX - 4) { > + av_log(s, AV_LOG_ERROR, "invalid chunk size: %u\n", chunk_size); > + return AVERROR_INVALIDDATA; > + } > /* skip the number of decoded bytes (always equal to width * height) > */ > avio_skip(pb, 4); > chunk_size -= 4;
ping. -Justin _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel