chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the
packet size.
---
libavformat/idcin.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/libavformat/idcin.c b/libavformat/idcin.c
index 6a9b0ca..3acbc92 100644
--- a/libavformat/idcin.c
+++ b/libavformat/idcin.c
@@ -255,6 +255,11 @@ static int idcin_read_packet(AVFormatContext *s,
/* skip the number of decoded bytes (always equal to width * height) */
avio_skip(pb, 4);
chunk_size -= 4;
+ if (chunk_size > INT_MAX) {
+ av_log(s, AV_LOG_ERROR, "chunk size is too large: %u\n",
chunk_size);
+ avio_skip(pb, chunk_size);
+ return 0;
+ }
ret= av_get_packet(pb, pkt, chunk_size);
if (ret < 0)
return ret;
--
1.7.1
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
