xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

xwddec: prevent overflow of lsize * avctx->height
This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
9d38f06d · Andreas Cadhalpun · c413d9e6 · 9d38f06d
Commit 9d38f06d authored Dec 18, 2015 by Andreas Cadhalpun
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

xwddec.c libavcodec/xwddec.c +1 -1

No files found.
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
        return AVERROR_INVALIDDATA;
    }

-    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) {
+    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) {
        av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
        return AVERROR_INVALIDDATA;
    }