Integer overflow in ff_audio_decode_data()

There is an integer overflow bug in ff_audio_decode_data(). A crafted file could cause heap crash. --HG-- extra : transplant_source : FxpH6%A3%B7%C5%DA9%5B%F6h%AFKm%93%EA%1Bv
author: Tielei <wangtielei@icst.pku.edu.cn> 2008-08-20 10:08:00 +0000
committer: Tielei <wangtielei@icst.pku.edu.cn> 2008-08-20 10:08:00 +0000
commit: e44f653d013abdad41e814250df65cb1fa96a290 (patch)
tree: ec0693f6b55f9e7b37529c9a03ca1263f43aee4d
parent: c1806db355208c85916e58cf8324a3676f073173 (diff)
download: xine-lib-e44f653d013abdad41e814250df65cb1fa96a290.tar.gz
xine-lib-e44f653d013abdad41e814250df65cb1fa96a290.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/combined/ffmpeg/ff_audio_decoder.c b/src/combined/ffmpeg/ff_audio_decoder.c
index b3b54ab0a..a08c3ac35 100644
--- a/src/combined/ffmpeg/ff_audio_decoder.c
+++ b/src/combined/ffmpeg/ff_audio_decoder.c
@@ -249,6 +249,8 @@ static void ff_audio_decode_data (audio_decoder_t *this_gen, buf_element_t *buf)
 
               if (extradata + data_len > this->size)
                 break; /* abort early - extradata length is bad */
+              if (extradata > INT_MAX - data_len)
+                break;/*integer overflow*/
 
 	      this->context->extradata_size = data_len;
 	      this->context->extradata      = malloc(this->context->extradata_size +
author	Tielei <wangtielei@icst.pku.edu.cn>	2008-08-20 10:08:00 +0000
committer	Tielei <wangtielei@icst.pku.edu.cn>	2008-08-20 10:08:00 +0000
commit	e44f653d013abdad41e814250df65cb1fa96a290 (patch)
tree	ec0693f6b55f9e7b37529c9a03ca1263f43aee4d
parent	c1806db355208c85916e58cf8324a3676f073173 (diff)
download	xine-lib-e44f653d013abdad41e814250df65cb1fa96a290.tar.gz xine-lib-e44f653d013abdad41e814250df65cb1fa96a290.tar.bz2