1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00

Extend check for integer overflow for malloc argument to take into account

also the addition of "sound_buffers" not only the multiplication.

Originally committed as revision 19840 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Reimar Döffinger 2009-09-14 17:15:18 +00:00
parent 65d6d40350
commit 21ab5c5827

View File

@ -154,7 +154,7 @@ static int vmd_read_header(AVFormatContext *s,
vmd->frame_table = NULL; vmd->frame_table = NULL;
sound_buffers = AV_RL16(&vmd->vmd_header[808]); sound_buffers = AV_RL16(&vmd->vmd_header[808]);
raw_frame_table_size = vmd->frame_count * 6; raw_frame_table_size = vmd->frame_count * 6;
if(vmd->frame_count * vmd->frames_per_block >= UINT_MAX / sizeof(vmd_frame)){ if(vmd->frame_count * vmd->frames_per_block >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){
av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n"); av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
return -1; return -1;
} }