idcin: check for integer overflow when calling av_get_packet()

chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the packet size.

idcin: check for integer overflow when calling av_get_packet()
chunk_size is unsigned 32-bit, but av_get_packet() takes a signed int as the packet size.
33f58c36 · Justin Ruggles · 7040e479 · 33f58c36
Commit 33f58c36 authored Aug 01, 2012 by Justin Ruggles
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

idcin.c libavformat/idcin.c +4 -0

No files found.
--- a/libavformat/idcin.c
+++ b/libavformat/idcin.c
@@ -278,6 +278,10 @@ static int idcin_read_packet(AVFormatContext *s,
        }

        chunk_size = avio_rl32(pb);
+        if (chunk_size < 4 || chunk_size > INT_MAX - 4) {
+            av_log(s, AV_LOG_ERROR, "invalid chunk size: %u\n", chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
        /* skip the number of decoded bytes (always equal to width * height) */
        avio_skip(pb, 4);
        chunk_size -= 4;