[libav-devel] [PATCH 07/10] sierravmd: Do sanity checking of frame sizes

Martin Storsjö Wed, 11 Sep 2013 14:25:28 -0700

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: [email protected]
---
 libavformat/sierravmd.c |    9 +++++++++
 1 file changed, 9 insertions(+)


diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c
index 645b99b..8915001 100644
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -199,6 +199,10 @@ static int vmd_read_header(AVFormatContext *s)
             avio_read(pb, chunk, BYTES_PER_FRAME_RECORD);
             type = chunk[0];
             size = AV_RL32(&chunk[2]);
+            if (size > INT_MAX/2) {
+                av_log(s, AV_LOG_ERROR, "Invalid frame size\n");
+                goto error;
+            }
             if(!size && type != 1)
                 continue;
             switch(type) {
@@ -235,6 +239,11 @@ static int vmd_read_header(AVFormatContext *s)
     vmd->frame_count = total_frames;
 
     return 0;
+
+error:
+    av_free(raw_frame_table);
+    av_free(vmd->frame_table);
+    return AVERROR_INVALIDDATA;
 }
 
 static int vmd_read_packet(AVFormatContext *s,
-- 
1.7.9.4

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH 07/10] sierravmd: Do sanity checking of frame sizes

Reply via email to