[FFmpeg-devel] [PATCH] fix sierravmd overflow check

Mon Sep 14 17:58:38 CEST 2009

Hello,
I think the current code can still have an integer overflow in the
malloc argument, and I think this patch would fix it, agreed?
Index: libavformat/sierravmd.c
===================================================================

--- libavformat/sierravmd.c     (revision 19824)
+++ libavformat/sierravmd.c     (working copy)
@@ -154,7 +154,7 @@
     vmd->frame_table = NULL;
     sound_buffers = AV_RL16(&vmd->vmd_header[808]);
     raw_frame_table_size = vmd->frame_count * 6;
-    if(vmd->frame_count * vmd->frames_per_block  >= UINT_MAX / sizeof(vmd_frame)){
+    if(vmd->frame_count * vmd->frames_per_block  >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){
         av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
         return -1;
     }


