Limit fsize before adding to pointer.

This avoids a theoretically possible pointer arithmetic overflow which would lead to a crash due to reading from NULL page. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>

Limit fsize before adding to pointer.
This avoids a theoretically possible pointer arithmetic overflow which would lead to a crash due to reading from NULL page. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
b39f872a · Reimar Döffinger · 84006072 · b39f872a
Commit b39f872a authored Jul 30, 2011 by Reimar Döffinger
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

aacdec.c libavformat/aacdec.c +1 -0

No files found.
--- a/libavformat/aacdec.c
+++ b/libavformat/aacdec.c
@@ -47,6 +47,7 @@ static int adts_aac_probe(AVProbeData *p)
            fsize = (AV_RB32(buf2 + 3) >> 13) & 0x1FFF;
            if(fsize < 7)
                break;
+            fsize = FFMIN(fsize, end - buf2);
            buf2 += fsize;
        }
        max_frames = FFMAX(max_frames, frames);