Commit 0d6da4b8 authored by Reimar Döffinger's avatar Reimar Döffinger

Fix overflow check insufficiently improved in r19840.

It assumes that sizeof(vmd_frame) < 64k, otherwise an additional
check to ensure sound_buffers <= UINT_MAX / sizeof(vmd_frame) would be necessary.

Originally committed as revision 19882 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent d859bb1d
...@@ -161,7 +161,7 @@ static int vmd_read_header(AVFormatContext *s, ...@@ -161,7 +161,7 @@ static int vmd_read_header(AVFormatContext *s,
vmd->frame_table = NULL; vmd->frame_table = NULL;
sound_buffers = AV_RL16(&vmd->vmd_header[808]); sound_buffers = AV_RL16(&vmd->vmd_header[808]);
raw_frame_table_size = vmd->frame_count * 6; raw_frame_table_size = vmd->frame_count * 6;
if(vmd->frame_count * vmd->frames_per_block >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){ if(vmd->frame_count * vmd->frames_per_block >= UINT_MAX / sizeof(vmd_frame) - sound_buffers){
av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n"); av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
return -1; return -1;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment