[libav-devel] [PATCH] flvdec: Check for overflow before allocating arrays

Martin Storsjö Sat, 24 Sep 2011 09:00:01 -0700

From: Michael Niedermayer <[email protected]>

On allocation, the array length is multiplied by sizeof(int64_t),
this prevents the multiplication from overflowing.
---
 libavformat/flvdec.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)


diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 474c4d8..ad00c65 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -161,6 +161,9 @@ static int parse_keyframes_index(AVFormatContext *s, 
AVIOContext *ioc, AVStream
             break;
 
         arraylen = avio_rb32(ioc);
+        if (arraylen >> 28)
+            break;
+
         /*
          * Expect only 'times' or 'filepositions' sub-arrays in other case 
refuse to use such metadata
          * for indexing
-- 
1.7.3.1

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] flvdec: Check for overflow before allocating arrays

Reply via email to