From fed7f5b04f0ddde81fe1de1af725a63461a31f6f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Sep 2011 18:57:31 +0300 Subject: [PATCH] flvdec: Check for overflow before allocating arrays MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On allocation, the array length is multiplied by sizeof(int64_t), this prevents the multiplication from overflowing. Signed-off-by: Martin Storsjö (cherry picked from commit a246cefa75aed2ade315d6d09068aacb6b0fe76b) Signed-off-by: Reinhard Tartler --- libavformat/flvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index c6b386e28f..5f442f7265 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -147,6 +147,9 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream break; arraylen = avio_rb32(ioc); + if (arraylen >> 28) + break; + /* * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata * for indexing