Commit 2b46ebdb authored by Michael Niedermayer's avatar Michael Niedermayer

avformat/asfdec_o: Check size_bmp more fully

Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7
Found-by: 's avatarPaul Ch <paulcher@icloud.com>
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent bab0716c
......@@ -706,7 +706,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag);
size_bmp = FFMAX(size_asf, size_bmp);
if (size_bmp > BMP_HEADER_SIZE) {
if (size_bmp > BMP_HEADER_SIZE &&
size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
int ret;
st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE;
if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size +
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment