On 4/8/2019 12:42 PM, Paul B Mahol wrote:
>>> +static int decode_huffman2(AVCodecContext *avctx, int header, int size)
>>> +{
>>> +    AGMContext *s = avctx->priv_data;
>>> +    GetBitContext *gb = &s->gb;
>>> +    uint8_t lens[256];
>>> +    uint32_t output_size;
>>> +    int ret, x, len;
>>> +
>>> +    if ((ret = init_get_bits8(gb, s->gbyte.buffer,
>>> +                              bytestream2_get_bytes_left(&s->gbyte))) <
>>> 0)
>>> +        return ret;
>>> +
>>> +    output_size = get_bits_long(gb, 32);
>>> +
>>> +    av_fast_padded_malloc(&s->output, &s->output_size,
>>> +                          output_size * sizeof(*s->output));
>> Several chances for overflow here.
> Yes, changed output_size to int.

No, it needs to be unsigned for av_fast_padded_malloc(). What you need
to also make unsigned is s->output_size instead.

Also, that sizeof(*s->output) seems superfluous.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to