fixing an integer overflow, which could lead to overwriting the end of a malloced buffer by 8 bytes

Originally committed as revision 3937 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2005-02-04 18:58:59 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2005-02-04 18:58:59 +0000
commit: 360130378b4a0029a2a341398b08a7d7acfe85d5 (patch)
tree: 7aced5d34184c5419567b916a66e58a198b7fd02 /libavformat/sierravmd.c
parent: db2fcbbdb383a1a6d024a3884095269fa7eefd36 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c
index 16b6a8d4cc..b1484b5605 100644
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -212,7 +212,8 @@ static int vmd_read_header(AVFormatContext *s,
 
         /* if the frame size is 0, do not count the frame and bring the
          * total frame count down */
-        vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]);
+        // note, we limit the size to 1Gb to ensure that we dont end up overflowing the size integer used to allocate the memory
+        vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]) & 0x3FFFFFFF; 
 
         /* this logic is present so that 0-length audio chunks are not
          * accounted */
author	Michael Niedermayer <michaelni@gmx.at>	2005-02-04 18:58:59 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2005-02-04 18:58:59 +0000
commit	360130378b4a0029a2a341398b08a7d7acfe85d5 (patch)
tree	7aced5d34184c5419567b916a66e58a198b7fd02 /libavformat/sierravmd.c
parent	db2fcbbdb383a1a6d024a3884095269fa7eefd36 (diff)