From e44f653d013abdad41e814250df65cb1fa96a290 Mon Sep 17 00:00:00 2001
From: Tielei <wangtielei@icst.pku.edu.cn>
Date: Wed, 20 Aug 2008 10:08:00 +0000
Subject: Integer overflow in ff_audio_decode_data() There is an integer
 overflow bug in ff_audio_decode_data(). A crafted file could cause heap
 crash.

--HG--
extra : transplant_source : FxpH6%A3%B7%C5%DA9%5B%F6h%AFKm%93%EA%1Bv
---
 src/combined/ffmpeg/ff_audio_decoder.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/combined/ffmpeg/ff_audio_decoder.c b/src/combined/ffmpeg/ff_audio_decoder.c
index b3b54ab0a..a08c3ac35 100644
--- a/src/combined/ffmpeg/ff_audio_decoder.c
+++ b/src/combined/ffmpeg/ff_audio_decoder.c
@@ -249,6 +249,8 @@ static void ff_audio_decode_data (audio_decoder_t *this_gen, buf_element_t *buf)
 
               if (extradata + data_len > this->size)
                 break; /* abort early - extradata length is bad */
+              if (extradata > INT_MAX - data_len)
+                break;/*integer overflow*/
 
 	      this->context->extradata_size = data_len;
 	      this->context->extradata      = malloc(this->context->extradata_size +
-- 
cgit v1.2.3