On Sat, Sep 17, 2011 at 05:12:06PM +0200, Kostya Shishkov wrote: > On Sat, Sep 17, 2011 at 04:56:33PM +0200, [email protected] wrote: > > From: Laurent Aimar <[email protected]> > > > > --- > > libavformat/rmdec.c | 10 ++++++---- > > 1 files changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c > > index 1c96573..81f563e 100644 > > --- a/libavformat/rmdec.c > > +++ b/libavformat/rmdec.c > > @@ -215,8 +215,9 @@ static int rm_read_audio_stream_info(AVFormatContext > > *s, AVIOContext *pb, > > ast->audio_framesize = st->codec->block_align; > > st->codec->block_align = coded_framesize; > > > > - if(ast->audio_framesize >= UINT_MAX / sub_packet_h){ > > - av_log(s, AV_LOG_ERROR, "ast->audio_framesize * > > sub_packet_h too large\n"); > > + if (ast->audio_framesize <= 0 || sub_packet_h <= 0 || > > + ast->audio_framesize >= UINT_MAX / sub_packet_h){ > > + av_log(s, AV_LOG_ERROR, "ast->audio_framesize * > > sub_packet_h is invalid\n"); > > return -1; > > } > > > > I don't think that sub_packet_h can ever be negative - it's 16-bit read into > an int. And framesize comes from codec block_align property so maybe it's > better just to check st->codec->block_align once. They can be 0 and then in this case there will be a division by 0.
-- fenrir _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
