xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is larger enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net>

xwddec: prevent overflow of lsize * avctx->height
This is used to check if the input buffer is larger enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Anton Khirnov <anton@khirnov.net>
8431629d · Andreas Cadhalpun · Anton Khirnov · 5b83b24c · 8431629d
Commit 8431629d authored Dec 18, 2015 by Andreas Cadhalpun Committed by Anton Khirnov Jan 13, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

xwddec.c libavcodec/xwddec.c +1 -1

No files found.
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    }

-    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) {
+    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) {
        av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
        return AVERROR_INVALIDDATA;
    }