On 4/8/2019 12:42 PM, Paul B Mahol wrote: >>> +static int decode_huffman2(AVCodecContext *avctx, int header, int size) >>> +{ >>> + AGMContext *s = avctx->priv_data; >>> + GetBitContext *gb = &s->gb; >>> + uint8_t lens[256]; >>> + uint32_t output_size; >>> + int ret, x, len; >>> + >>> + if ((ret = init_get_bits8(gb, s->gbyte.buffer, >>> + bytestream2_get_bytes_left(&s->gbyte))) < >>> 0) >>> + return ret; >>> + >>> + output_size = get_bits_long(gb, 32); >>> + >>> + av_fast_padded_malloc(&s->output, &s->output_size, >>> + output_size * sizeof(*s->output)); >> Several chances for overflow here. > Yes, changed output_size to int.
No, it needs to be unsigned for av_fast_padded_malloc(). What you need to also make unsigned is s->output_size instead. Also, that sizeof(*s->output) seems superfluous. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".