ffmpeg | branch: release/3.4 | Michael Niedermayer <mich...@niedermayer.cc> | Tue Jul 3 21:01:23 2018 +0200| [9dea41eac7229688e566a4a3e3f8251acf7ab97c] | committer: Michael Niedermayer
avformat/asfdec_o: Check size_bmp more fully Fixes: integer overflow and out of array access Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7 Found-by: Paul Ch <paulc...@icloud.com> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9dea41eac7229688e566a4a3e3f8251acf7ab97c --- libavformat/asfdec_o.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 5122e33c78..b4b2698368 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -706,7 +706,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE) { + if (size_bmp > BMP_HEADER_SIZE && + size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { int ret; st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
