diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-09-24 19:57:31 +0400 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2011-09-26 21:31:32 +0400 |
| commit | fed7f5b04f0ddde81fe1de1af725a63461a31f6f (patch) | |
| tree | b6f52cfc525824b0b326b1dc01c4466d70518ec1 /libavformat/flvdec.c | |
| parent | dde0fb4aeaf855fc38fb002c23dbbeba06407a09 (diff) | |
flvdec: Check for overflow before allocating arrays
On allocation, the array length is multiplied by sizeof(int64_t),
this prevents the multiplication from overflowing.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a246cefa75aed2ade315d6d09068aacb6b0fe76b)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavformat/flvdec.c')
| -rw-r--r-- | libavformat/flvdec.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c6b386e28f..5f442f7265 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -147,6 +147,9 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream break; arraylen = avio_rb32(ioc); + if (arraylen >> 28) + break; + /* * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata * for indexing |