From 568e18b15e2ddf494fd8926707d34ca08c8edce5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 8 Jan 2005 14:21:33 +0000
Subject: integer overflows, heap corruption possible arbitrary code execution
 cannot be ruled out in some cases precautionary checks

Originally committed as revision 3813 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/ogg.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'libavformat/ogg.c')

diff --git a/libavformat/ogg.c b/libavformat/ogg.c
index e0a72306c9..c30ccd2f24 100644
--- a/libavformat/ogg.c
+++ b/libavformat/ogg.c
@@ -195,6 +195,8 @@ static int ogg_read_header(AVFormatContext *avfcontext, AVFormatParameters *ap)
         if(next_packet(avfcontext, &op)){
             return -1;
         }
+        if(op.bytes >= (1<<16) || op.bytes < 0)
+            return -1;
         codec->extradata_size+= 2 + op.bytes;
         codec->extradata= av_realloc(codec->extradata, codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
         p= codec->extradata + codec->extradata_size - 2 - op.bytes;
-- 
cgit v1.2.3