avformat/asfdec_o: Check size_bmp more fully

Fixes: integer overflow and out of array access Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7 Found-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/asfdec_o: Check size_bmp more fully
Fixes: integer overflow and out of array access Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7 Found-by: Paul Ch <paulcher@icloud.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2b46ebdb · Michael Niedermayer · bab0716c · 2b46ebdb
Commit 2b46ebdb authored Jul 03, 2018 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

asfdec_o.c libavformat/asfdec_o.c +2 -1

No files found.
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -706,7 +706,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
    st->codecpar->codec_id  = ff_codec_get_id(ff_codec_bmp_tags, tag);
    size_bmp = FFMAX(size_asf, size_bmp);

-    if (size_bmp > BMP_HEADER_SIZE) {
+    if (size_bmp > BMP_HEADER_SIZE &&
+        size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
        int ret;
        st->codecpar->extradata_size  = size_bmp - BMP_HEADER_SIZE;
        if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +