[SCM] libav/experimental: fixing an integer overflow, which could lead to overwriting the end of a malloced buffer by 8 bytes
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Sun Jun 30 15:43:01 UTC 2013
The following commit has been merged in the experimental branch:
commit 360130378b4a0029a2a341398b08a7d7acfe85d5
Author: Michael Niedermayer <michaelni at gmx.at>
Date: Fri Feb 4 18:58:59 2005 +0000
fixing an integer overflow, which could lead to overwriting the end of a malloced buffer by 8 bytes
Originally committed as revision 3937 to svn://svn.ffmpeg.org/ffmpeg/trunk
diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c
index 16b6a8d..b1484b5 100644
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -212,7 +212,8 @@ static int vmd_read_header(AVFormatContext *s,
/* if the frame size is 0, do not count the frame and bring the
* total frame count down */
- vmd->frame_table[i].frame_size = LE_32(¤t_frame_record[2]);
+ // note, we limit the size to 1Gb to ensure that we dont end up overflowing the size integer used to allocate the memory
+ vmd->frame_table[i].frame_size = LE_32(¤t_frame_record[2]) & 0x3FFFFFFF;
/* this logic is present so that 0-length audio chunks are not
* accounted */
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list