[FFmpeg-cvslog] avformat/wtvdec: Fix signed integer overflow
Andreas Rheinhardt
git at videolan.org
Wed Sep 13 00:59:23 EEST 2023
ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Tue Sep 12 13:46:25 2023 +0200| [78169f397dad3d9af9cd750441e11b7e201e3949] | committer: Andreas Rheinhardt
avformat/wtvdec: Fix signed integer overflow
Happens when length > INT_MAX / 2; use unsigned for the computation,
but restrict the value to INT_MAX, because avio_get_str16le()
accepts an int as buf_len argument. Notice that it can happen
that the string read by avio_get_str16le() is truncated in this case.
Reviewed-by: Peter Ross <pross at xvid.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78169f397dad3d9af9cd750441e11b7e201e3949
---
libavformat/wtvdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 2de6dc2103..4ce4b6403e 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -468,7 +468,7 @@ static void get_tag(AVFormatContext *s, AVIOContext *pb, const char *key, int ty
return;
}
- buf_size = FFMAX(2*length, LEN_PRETTY_GUID) + 1;
+ buf_size = FFMIN(FFMAX(2U * length, LEN_PRETTY_GUID) + 1, INT_MAX);
buf = av_malloc(buf_size);
if (!buf)
return;
More information about the ffmpeg-cvslog
mailing list