generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

iff: fix integer overflow

Browse Source 
Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3dbc0ff9c3)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2013-03-05 01:35:28 +01:00
parent f84ddb0c0f
commit 31f337c1e4
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/iff.c
View File

@@ -201,6 +201,8 @@ static int iff_read_header(AVFormatContext *s)
break; break;
case ID_CMAP: case ID_CMAP:
if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE)
return AVERROR_INVALIDDATA;
st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE; st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE;
st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE);
if (!st->codec->extradata) if (!st->codec->extradata)
@@ -323,6 +325,7 @@ static int iff_read_header(AVFormatContext *s)
if (!st->codec->extradata) if (!st->codec->extradata)
return AVERROR(ENOMEM); return AVERROR(ENOMEM);
} }
av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE);
buf = st->codec->extradata; buf = st->codec->extradata;
bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE); bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE);
bytestream_put_byte(&buf, iff->bitmap_compression); bytestream_put_byte(&buf, iff->bitmap_compression);