On Wed, Aug 01, 2012 at 11:31:23AM -0400, Justin Ruggles wrote:
> chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the
> packet size.
> ---
> libavformat/idcin.c | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/libavformat/idcin.c b/libavformat/idcin.c
> index 6a9b0ca..3acbc92 100644
> --- a/libavformat/idcin.c
> +++ b/libavformat/idcin.c
> @@ -255,6 +255,11 @@ static int idcin_read_packet(AVFormatContext *s,
> /* skip the number of decoded bytes (always equal to width * height)
> */
> avio_skip(pb, 4);
> chunk_size -= 4;
> + if (chunk_size > INT_MAX) {
> + av_log(s, AV_LOG_ERROR, "chunk size is too large: %u\n",
> chunk_size);
> + avio_skip(pb, chunk_size);
> + return 0;
> + }
> ret= av_get_packet(pb, pkt, chunk_size);
> if (ret < 0)
> return ret;
> --
LGTM
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
