[Ffmpeg-devel] Re: Bethsoft VID demuxer and decoder

Mike Melanson mike
Tue Apr 3 23:49:58 CEST 2007

Nicholas T wrote:
> allocations? I don't see how the multiplication can overflow; sorry.
> Could you be more specific? The numbers are 256 or 320 for the width,
> multiplied by 200 for the height. Are you talking about integer
> overflow or memory overflow?

   int frame_width;
   int frame_height;

   vid->header.frame_width = AV_RL16(&scratch[7]);
   vid->header.frame_height = AV_RL16(&scratch[9]);

   uint8_t vidbuf_start[vid->header.frame_width * 
vid->header.frame_height * 2];

The concern is that frame width & height are init'd to 0xFFFF (think of 
a deliberately corrupted file). 0xFFFF * 0xFFFF * 2 = ... some big 
number, bigger than 32 bits.

	-Mike Melanson

More information about the ffmpeg-devel mailing list