[FFmpeg-devel] [PATCH 3/3] avformat/utils: Fix potential integer overflow in extract_extradata()

James Almer jamrial at gmail.com
Thu Sep 27 01:12:13 EEST 2018


On 9/26/2018 7:00 PM, Michael Niedermayer wrote:
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavformat/utils.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/libavformat/utils.c b/libavformat/utils.c
> index c1835b1ab5..3e99478ad9 100644
> --- a/libavformat/utils.c
> +++ b/libavformat/utils.c
> @@ -3544,7 +3544,9 @@ static int extract_extradata(AVStream *st, AVPacket *pkt)
>                                              &extradata_size);
>  
>          if (extradata) {
> -            avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);
> +            av_assert0(!avsti->avctx->extradata);
> +            if ((unsigned)extradata_size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
> +                avsti->avctx->extradata = av_mallocz(extradata_size + AV_INPUT_BUFFER_PADDING_SIZE);

There's a FF_MAX_EXTRADATA_SIZE define in internal.h

>              if (!avsti->avctx->extradata) {
>                  av_packet_unref(pkt_ref);
>                  return AVERROR(ENOMEM);
> 



More information about the ffmpeg-devel mailing list