summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
342c43d)
Limit the size to INT_MAX/2 (for simplicity) to be sure that
size + BYTES_PER_FRAME_RECORD won't overflow.
Also factorize other existing error return paths.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
unsigned char *raw_frame_table;
int raw_frame_table_size;
int64_t current_offset;
unsigned char *raw_frame_table;
int raw_frame_table_size;
int64_t current_offset;
unsigned int total_frames;
int64_t current_audio_pts = 0;
unsigned char chunk[BYTES_PER_FRAME_RECORD];
unsigned int total_frames;
int64_t current_audio_pts = 0;
unsigned char chunk[BYTES_PER_FRAME_RECORD];
raw_frame_table = av_malloc(raw_frame_table_size);
vmd->frame_table = av_malloc((vmd->frame_count * vmd->frames_per_block + sound_buffers) * sizeof(vmd_frame));
if (!raw_frame_table || !vmd->frame_table) {
raw_frame_table = av_malloc(raw_frame_table_size);
vmd->frame_table = av_malloc((vmd->frame_count * vmd->frames_per_block + sound_buffers) * sizeof(vmd_frame));
if (!raw_frame_table || !vmd->frame_table) {
- av_free(raw_frame_table);
- av_free(vmd->frame_table);
- return AVERROR(ENOMEM);
+ ret = AVERROR(ENOMEM);
+ goto error;
}
if (avio_read(pb, raw_frame_table, raw_frame_table_size) !=
raw_frame_table_size) {
}
if (avio_read(pb, raw_frame_table, raw_frame_table_size) !=
raw_frame_table_size) {
- av_free(raw_frame_table);
- av_free(vmd->frame_table);
- return AVERROR(EIO);
+ ret = AVERROR(EIO);
+ goto error;
avio_read(pb, chunk, BYTES_PER_FRAME_RECORD);
type = chunk[0];
size = AV_RL32(&chunk[2]);
avio_read(pb, chunk, BYTES_PER_FRAME_RECORD);
type = chunk[0];
size = AV_RL32(&chunk[2]);
+ if (size > INT_MAX / 2) {
+ av_log(s, AV_LOG_ERROR, "Invalid frame size\n");
+ ret = AVERROR_INVALIDDATA;
+ goto error;
+ }
if(!size && type != 1)
continue;
switch(type) {
if(!size && type != 1)
continue;
switch(type) {
vmd->frame_count = total_frames;
return 0;
vmd->frame_count = total_frames;
return 0;
+
+error:
+ av_free(raw_frame_table);
+ av_free(vmd->frame_table);
+ return ret;
}
static int vmd_read_packet(AVFormatContext *s,
}
static int vmd_read_packet(AVFormatContext *s,