Commit e4bc8af1 authored by Baptiste Coudurier's avatar Baptiste Coudurier

check entries against field_size, potential malloc overflow in read_stsz, fix #1357

Originally committed as revision 19793 to svn://svn.ffmpeg.org/ffmpeg/trunk
parent 1c4bf2ec
......@@ -1256,7 +1256,7 @@ static int mov_read_stsz(MOVContext *c, ByteIOContext *pb, MOVAtom atom)
return -1;
}
if(entries >= UINT_MAX / sizeof(int))
if (entries >= UINT_MAX / sizeof(int) || entries >= (UINT_MAX - 4) / field_size)
return -1;
sc->sample_sizes = av_malloc(entries * sizeof(int));
if (!sc->sample_sizes)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment