Re: [libav-devel] [PATCH 08/10] idcin: check for integer overflow when calling av_get_packet()

Justin Ruggles Wed, 22 Aug 2012 08:36:16 -0700

On 08/04/2012 02:33 PM, Justin Ruggles wrote:
> chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the
> packet size.
> ---
>  libavformat/idcin.c |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/libavformat/idcin.c b/libavformat/idcin.c
> index 74875cb..8cd86d1 100644
> --- a/libavformat/idcin.c
> +++ b/libavformat/idcin.c
> @@ -278,6 +278,10 @@ static int idcin_read_packet(AVFormatContext *s,
>          }
>  
>          chunk_size = avio_rl32(pb);
> +        if (chunk_size < 4 || chunk_size > INT_MAX - 4) {
> +            av_log(s, AV_LOG_ERROR, "invalid chunk size: %u\n", chunk_size);
> +            return AVERROR_INVALIDDATA;
> +        }
>          /* skip the number of decoded bytes (always equal to width * height) 
> */
>          avio_skip(pb, 4);
>          chunk_size -= 4;


ping.

-Justin

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

Re: [libav-devel] [PATCH 08/10] idcin: check for integer overflow when calling av_get_packet()

Reply via email to