sanity checks, some might have been exploitable ...

Originally committed as revision 5369 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2006-05-13 10:45:26 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2006-05-13 10:45:26 +0000
commit: 3a1a7e32ace7af47de74e8ae779cb4e04c89aa97 (patch)
tree: 54f9925f5f74bf9ca24ede510f6deffd98f2e2c6 /libavcodec/alac.c
parent: ce1d2a95c3d73663aecc6e5f51533d2bcf1fb1ae (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index f0de9e9001..2dc1a48559 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -100,7 +100,7 @@ static void allocate_buffers(ALACContext *alac)
     alac->outputsamples_buffer_b = av_malloc(alac->setinfo_max_samples_per_frame * 4);
 }
 
-static void alac_set_info(ALACContext *alac)
+static int alac_set_info(ALACContext *alac)
 {
     unsigned char *ptr = alac->avctx->extradata;
 
@@ -108,6 +108,10 @@ static void alac_set_info(ALACContext *alac)
     ptr += 4; /* alac */
     ptr += 4; /* 0 ? */
 
+    if(BE_32(ptr) >= UINT_MAX/4){
+        av_log(alac->avctx, AV_LOG_ERROR, "setinfo_max_samples_per_frame too large\n");
+        return -1;
+    }
     alac->setinfo_max_samples_per_frame = BE_32(ptr); /* buffer size / 2 ? */
     ptr += 4;
     alac->setinfo_7a = *ptr++;
@@ -126,6 +130,8 @@ static void alac_set_info(ALACContext *alac)
     ptr += 4;
 
     allocate_buffers(alac);
+
+    return 0;
 }
 
 /* hideously inefficient. could use a bitmask search,
author	Michael Niedermayer <michaelni@gmx.at>	2006-05-13 10:45:26 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2006-05-13 10:45:26 +0000
commit	3a1a7e32ace7af47de74e8ae779cb4e04c89aa97 (patch)
tree	54f9925f5f74bf9ca24ede510f6deffd98f2e2c6 /libavcodec/alac.c
parent	ce1d2a95c3d73663aecc6e5f51533d2bcf1fb1ae (diff)