[libav-commits] idcin: check for integer overflow when calling av_get_packet()

Justin Ruggles git at libav.org
Wed Jan 9 20:46:57 CET 2013


Module: libav
Branch: master
Commit: 33f58c3616d2870d3861da68217ef9d05cc5047a

Author:    Justin Ruggles <justin.ruggles at gmail.com>
Committer: Justin Ruggles <justin.ruggles at gmail.com>
Date:      Wed Aug  1 16:10:08 2012 -0400

idcin: check for integer overflow when calling av_get_packet()

chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the
packet size.

---

 libavformat/idcin.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/libavformat/idcin.c b/libavformat/idcin.c
index 7a0042b..93ba721 100644
--- a/libavformat/idcin.c
+++ b/libavformat/idcin.c
@@ -278,6 +278,10 @@ static int idcin_read_packet(AVFormatContext *s,
         }
 
         chunk_size = avio_rl32(pb);
+        if (chunk_size < 4 || chunk_size > INT_MAX - 4) {
+            av_log(s, AV_LOG_ERROR, "invalid chunk size: %u\n", chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
         /* skip the number of decoded bytes (always equal to width * height) */
         avio_skip(pb, 4);
         chunk_size -= 4;



More information about the libav-commits mailing list