From 21ab5c58270271dbebc061015187bca02e5d51ce Mon Sep 17 00:00:00 2001
From: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Date: Mon, 14 Sep 2009 17:15:18 +0000
Subject: Extend check for integer overflow for malloc argument to take into
 account also the addition of "sound_buffers" not only the multiplication.

Originally committed as revision 19840 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/sierravmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavformat/sierravmd.c')

diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c
index 52f05826d5..5aa5a04dbb 100644
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -154,7 +154,7 @@ static int vmd_read_header(AVFormatContext *s,
     vmd->frame_table = NULL;
     sound_buffers = AV_RL16(&vmd->vmd_header[808]);
     raw_frame_table_size = vmd->frame_count * 6;
-    if(vmd->frame_count * vmd->frames_per_block  >= UINT_MAX / sizeof(vmd_frame)){
+    if(vmd->frame_count * vmd->frames_per_block  >= (UINT_MAX - sound_buffers) / sizeof(vmd_frame)){
         av_log(s, AV_LOG_ERROR, "vmd->frame_count * vmd->frames_per_block too large\n");
         return -1;
     }
-- 
cgit v1.2.3