[FFmpeg-devel] stsz overflow
Frank Barchard
fbarchard
Tue Aug 25 00:44:29 CEST 2009
On Mon, Aug 24, 2009 at 2:22 PM, Baptiste Coudurier <
baptiste.coudurier at gmail.com> wrote:
>
> Why sizeof(int)*8 ?
>
Since field_size has been checked, how about that instead.
Plus the code should free the previous alloc to avoid a leak.
Note with this change the code will fail, but avoids a crash.
Index: libavformat/mov.c
===================================================================
--- libavformat/mov.c (revision 19695)
+++ libavformat/mov.c (working copy)
@@ -1262,6 +1262,10 @@
if (!sc->sample_sizes)
return AVERROR(ENOMEM);
+ if(entries >= UINT_MAX / field_size) {
+ av_freep(&sc->sample_sizes);
+ return -1;
+ }
num_bytes = (entries*field_size+4)>>3;
buf = av_malloc(num_bytes+FF_INPUT_BUFFER_PADDING_SIZE);
More information about the ffmpeg-devel
mailing list