mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
Extend check for integer overflow for malloc argument to take into account
also the addition of "sound_buffers" not only the multiplication. Originally committed as revision 19840 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
parent
65d6d40350
commit
21ab5c5827
@ -154,7 +154,7 @@ static int vmd_read_header(AVFormatContext *s,
|
|||||||
vmd->frame_table = NULL;
|
vmd->frame_table = NULL;
|
||||||
sound_buffers = AV_RL16(&vmd->vmd_header[808]);
|
sound_buffers = AV_RL16(&vmd->vmd_header[808]);
|
||||||
raw_frame_table_size = vmd->frame_count * 6;
|
raw_frame_table_size = vmd->frame_count * 6;
|
||||||
if(vmd->frame_count * vmd->frames_per_block >= UINT_MAX / sizeof(vmd_frame)){
|
if(vmd->frame_count * vmd->frames_per_block >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){
|
||||||
av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
|
av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user