Extend check for integer overflow for malloc argument to take into account

also the addition of "sound_buffers" not only the multiplication. Originally committed as revision 19840 to svn://svn.ffmpeg.org/ffmpeg/trunk

Extend check for integer overflow for malloc argument to take into account
also the addition of "sound_buffers" not only the multiplication. Originally committed as revision 19840 to svn://svn.ffmpeg.org/ffmpeg/trunk
21ab5c58 · Reimar Döffinger · 65d6d403 · 21ab5c58
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

libavformat/sierravmd.c libavformat/sierravmd.c +1 -1

未找到文件。
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -154,7 +154,7 @@ static int vmd_read_header(AVFormatContext *s,
    vmd->frame_table = NULL;
    sound_buffers = AV_RL16(&vmd->vmd_header[808]);
    raw_frame_table_size = vmd->frame_count * 6;
-    if(vmd->frame_count * vmd->frames_per_block  >= UINT_MAX / sizeof(vmd_frame)){
+    if(vmd->frame_count * vmd->frames_per_block  >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){
        av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
        return -1;
    }