On Wed, 11 Sep 2013, Luca Barbato wrote:
On 11/09/13 22:47, Martin Storsjö wrote:Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] --- libavformat/sierravmd.c | 9 +++++++++ 1 file changed, 9 insertions(+)diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c index 645b99b..8915001 100644 --- a/libavformat/sierravmd.c +++ b/libavformat/sierravmd.c @@ -199,6 +199,10 @@ static int vmd_read_header(AVFormatContext *s) avio_read(pb, chunk, BYTES_PER_FRAME_RECORD); type = chunk[0]; size = AV_RL32(&chunk[2]); + if (size > INT_MAX/2) {^^^ spaces Why INT_MAX / 2 btw?
Because we need to be sure that size + BYTES_PER_FRAME_RECORD doesn't wrap. We could explicitly check for INT_MAX - BYTES_PER_FRAME_RECORD, but INT_MAX / 2 gives a bit more marginal since it really shouldn't be all that big mostly anyway (Kostya suggested this for another patch earlier today, http://patches.libav.org/patch/42128/).
I amended this one as well to add spaces around the operator. // Martin
_______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
