Fix remotely exploitable arbitrary code execution vulnerability.

Found by Tobias Klein / tk // trapkit / de / See: http://www.trapkit.de/advisories/TKADV2009-004.txt Originally committed as revision 16846 to svn://svn.ffmpeg.org/ffmpeg/trunk

Fix remotely exploitable arbitrary code execution vulnerability.
Found by Tobias Klein / tk // trapkit / de / See: http://www.trapkit.de/advisories/TKADV2009-004.txt Originally committed as revision 16846 to svn://svn.ffmpeg.org/ffmpeg/trunk
0838cfdc · Michael Niedermayer · 5a446bc8 · 0838cfdc
Commit 0838cfdc authored Jan 28, 2009 by Michael Niedermayer
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 4 deletions

4xm.c libavformat/4xm.c +5 -4

No files found.
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -166,12 +166,13 @@ static int fourxm_read_header(AVFormatContext *s,
                goto fail;
            }
            current_track = AV_RL32(&header[i + 8]);
-            if (current_track + 1 > fourxm->track_count) {
-                fourxm->track_count = current_track + 1;
-                if((unsigned)fourxm->track_count >= UINT_MAX / sizeof(AudioTrack)){
+            if((unsigned)current_track >= UINT_MAX / sizeof(AudioTrack) - 1){
+                av_log(s, AV_LOG_ERROR, "current_track too large\n");
                ret= -1;
                goto fail;
            }
+            if (current_track + 1 > fourxm->track_count) {
+                fourxm->track_count = current_track + 1;
                fourxm->tracks = av_realloc(fourxm->tracks,
                    fourxm->track_count * sizeof(AudioTrack));
                if (!fourxm->tracks) {