ffmpeg | branch: master | Andreas Rheinhardt <[email protected]> | Tue Sep 12 13:46:25 2023 +0200| [78169f397dad3d9af9cd750441e11b7e201e3949] | committer: Andreas Rheinhardt
avformat/wtvdec: Fix signed integer overflow Happens when length > INT_MAX / 2; use unsigned for the computation, but restrict the value to INT_MAX, because avio_get_str16le() accepts an int as buf_len argument. Notice that it can happen that the string read by avio_get_str16le() is truncated in this case. Reviewed-by: Peter Ross <[email protected]> Signed-off-by: Andreas Rheinhardt <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78169f397dad3d9af9cd750441e11b7e201e3949 --- libavformat/wtvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 2de6dc2103..4ce4b6403e 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -468,7 +468,7 @@ static void get_tag(AVFormatContext *s, AVIOContext *pb, const char *key, int ty return; } - buf_size = FFMAX(2*length, LEN_PRETTY_GUID) + 1; + buf_size = FFMIN(FFMAX(2U * length, LEN_PRETTY_GUID) + 1, INT_MAX); buf = av_malloc(buf_size); if (!buf) return; _______________________________________________ ffmpeg-cvslog mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
