On 8/24/2018 4:48 PM, Paul B Mahol wrote: > On 8/24/18, James Almer <jamr...@gmail.com> wrote: >> On 8/24/2018 3:48 PM, Paul B Mahol wrote: >>> Signed-off-by: Paul B Mahol <one...@gmail.com> >>> --- >>> libavcodec/Makefile | 1 + >>> libavcodec/allcodecs.c | 1 + >>> libavcodec/avcodec.h | 1 + >>> libavcodec/codec_desc.c | 7 ++ >>> libavcodec/mwsc.c | 174 ++++++++++++++++++++++++++++++++++++++++ >>> libavformat/riff.c | 1 + >>> 6 files changed, 185 insertions(+) >>> create mode 100644 libavcodec/mwsc.c >>> > > [...] > >>> + >>> + s->decomp_size = 8 * avctx->height * ((avctx->width * >>> avctx->bits_per_coded_sample + 31) / 32); >> >> avctx->height and avctx->width are not checked for sane values. And even >> then, couldn't this overflow? >> > > What you propose as solution? IIRC width/height are already checked at > higher level, > no need to check them again because we do not change them here.
At least check for overflow in this calculation. Use av_malloc_array(), or check before setting s->decomp_size. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
