flvdec: Check for overflow before allocating arrays
diff mbox

Message ID 1316879994-50537-1-git-send-email-martin@martin.st
State Committed
Commit a246cefa75aed2ade315d6d09068aacb6b0fe76b
Headers show

Commit Message

Martin Storsjö Sept. 24, 2011, 3:59 p.m. 
From: Michael Niedermayer <michaelni@gmx.at>

On allocation, the array length is multiplied by sizeof(int64_t),
this prevents the multiplication from overflowing.
---
 libavformat/flvdec.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

Comments

Luca Barbato Sept. 24, 2011, 7:29 p.m. | #1 
On 9/24/11 5:59 PM, Martin Storsjö wrote:
> From: Michael Niedermayer<michaelni@gmx.at>
>
> On allocation, the array length is multiplied by sizeof(int64_t),
> this prevents the multiplication from overflowing.
> ---

Ok.
Martin Storsjö Sept. 25, 2011, 9:58 a.m. | #2 
On Sat, 24 Sep 2011, Luca Barbato wrote:

> On 9/24/11 5:59 PM, Martin Storsjö wrote:
>> From: Michael Niedermayer<michaelni@gmx.at>
>> 
>> On allocation, the array length is multiplied by sizeof(int64_t),
>> this prevents the multiplication from overflowing.
>> ---
>
> Ok.

Pushed

// Martin

Patch
diff mbox 

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 474c4d8..ad00c65 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -161,6 +161,9 @@  static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
             break;
 
         arraylen = avio_rb32(ioc);
+        if (arraylen >> 28)
+            break;
+
         /*
          * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata
          * for indexing