[FFmpeg-cvslog] r19840 - trunk/libavformat/sierravmd.c
reimar
subversion
Mon Sep 14 19:15:18 CEST 2009
Author: reimar
Date: Mon Sep 14 19:15:18 2009
New Revision: 19840
Log:
Extend check for integer overflow for malloc argument to take into account
also the addition of "sound_buffers" not only the multiplication.
Modified:
trunk/libavformat/sierravmd.c
Modified: trunk/libavformat/sierravmd.c
==============================================================================
--- trunk/libavformat/sierravmd.c Mon Sep 14 19:05:13 2009 (r19839)
+++ trunk/libavformat/sierravmd.c Mon Sep 14 19:15:18 2009 (r19840)
@@ -154,7 +154,7 @@ static int vmd_read_header(AVFormatConte
vmd->frame_table = NULL;
sound_buffers = AV_RL16(&vmd->vmd_header[808]);
raw_frame_table_size = vmd->frame_count * 6;
- if(vmd->frame_count * vmd->frames_per_block >= UINT_MAX / sizeof(vmd_frame)){
+ if(vmd->frame_count * vmd->frames_per_block >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){
av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
return -1;
}
More information about the ffmpeg-cvslog
mailing list