From 3dbc0ff9c3e6f6e0d08ea3d42cb33761bae084ba Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 5 Mar 2013 01:35:28 +0100 Subject: [PATCH] iff: fix integer overflow Fixes out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavformat/iff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/iff.c b/libavformat/iff.c index 348026a725..100d981cab 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -250,6 +250,8 @@ static int iff_read_header(AVFormatContext *s) break; case ID_CMAP: + if (data_size > INT_MAX - IFF_EXTRA_VIDEO_SIZE - FF_INPUT_BUFFER_PADDING_SIZE) + return AVERROR_INVALIDDATA; st->codec->extradata_size = data_size + IFF_EXTRA_VIDEO_SIZE; st->codec->extradata = av_malloc(data_size + IFF_EXTRA_VIDEO_SIZE + FF_INPUT_BUFFER_PADDING_SIZE); if (!st->codec->extradata) @@ -410,6 +412,7 @@ static int iff_read_header(AVFormatContext *s) if (!st->codec->extradata) return AVERROR(ENOMEM); } + av_assert0(st->codec->extradata_size >= IFF_EXTRA_VIDEO_SIZE); buf = st->codec->extradata; bytestream_put_be16(&buf, IFF_EXTRA_VIDEO_SIZE); bytestream_put_byte(&buf, iff->bitmap_compression);