RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fixing an integer overflow, which could lead to overwriting the end of a malloced buffer by 8 bytes 

Originally committed as revision 3937 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Michael Niedermayer 2005-02-04 18:58:59 +00:00
parent db2fcbbdb3
commit 360130378b
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
libavformat/sierravmd.c
View File

@ -212,7 +212,8 @@ static int vmd_read_header(AVFormatContext *s,
/* if the frame size is 0, do not count the frame and bring the
* total frame count down */
vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]);
// note, we limit the size to 1Gb to ensure that we dont end up overflowing the size integer used to allocate the memory
vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]) & 0x3FFFFFFF;
/* this logic is present so that 0-length audio chunks are not
* accounted */