integer overflows, heap corruption

possible arbitrary code execution cannot be ruled out in some cases
precautionary checks

Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk

1 files changed, 4 insertions, 0 deletions

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index fa33101106..060d3b926d 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -302,9 +302,11 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
                     get_le32(pb); /* ClrUsed */
                     get_le32(pb); /* ClrImportant */
 
+                 if(size > 10*4 && size<(1<<30)){
                     st->codec.extradata_size= size - 10*4;
                     st->codec.extradata= av_malloc(st->codec.extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
                     get_buffer(pb, st->codec.extradata, st->codec.extradata_size);
+                 }
                     
                     if(st->codec.extradata_size & 1) //FIXME check if the encoder really did this correctly
                         get_byte(pb);
@@ -549,6 +551,8 @@ static int avi_read_idx1(AVFormatContext *s, int size)
     nb_index_entries = size / 16;
     if (nb_index_entries <= 0)
         return -1;
+    if(nb_index_entries + 1 >= UINT_MAX / sizeof(AVIIndexEntry))
+        return -1;
 
     /* read the entries and sort them in each stream component */
     for(i = 0; i < nb_index_entries; i++) {