iffdec: Fix integer overflow.

Found-by: durandal_1707 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-07-24 05:17:36 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2012-07-24 05:17:36 +0200
commit: 0e1925ddc4bb1499fcfc6a1a3990115f8d30c243 (patch)
tree: 989a5ecb3a56f4f357ded2d2b009e56a437a4de6 /libavcodec/iff.c
parent: 22ce78a95efb5d67dcd925285ad8c836b67d2c19 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index fe95357d21..a3241f6ea2 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -238,6 +238,11 @@ static int extract_header(AVCodecContext *const avctx,
                 s->mask_buf = av_malloc((s->planesize * 32) + FF_INPUT_BUFFER_PADDING_SIZE);
                 if (!s->mask_buf)
                     return AVERROR(ENOMEM);
+                if (s->bpp > 16) {
+                    av_log(avctx, AV_LOG_ERROR, "bpp %d too large for palette\n", s->bpp);
+                    av_freep(&s->mask_buf);
+                    return AVERROR(ENOMEM);
+                }
                 s->mask_palbuf = av_malloc((2 << s->bpp) * sizeof(uint32_t) + FF_INPUT_BUFFER_PADDING_SIZE);
                 if (!s->mask_palbuf) {
                     av_freep(&s->mask_buf);
author	Michael Niedermayer <michaelni@gmx.at>	2012-07-24 05:17:36 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2012-07-24 05:17:36 +0200
commit	0e1925ddc4bb1499fcfc6a1a3990115f8d30c243 (patch)
tree	989a5ecb3a56f4f357ded2d2b009e56a437a4de6 /libavcodec/iff.c
parent	22ce78a95efb5d67dcd925285ad8c836b67d2c19 (diff)