avformat/flacenc: Check length in flac_write_block_comment()
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 11 May 2015 13:30:32 +0000 (15:30 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 1 Jun 2015 21:25:20 +0000 (23:25 +0200)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 40a7700b82aec0036622f8673ce64e070a520891)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/flacenc.c

index b3695a2..83fc4c2 100644 (file)
@@ -50,12 +50,14 @@ static int flac_write_block_comment(AVIOContext *pb, AVDictionary **m,
                                     int last_block, int bitexact)
 {
     const char *vendor = bitexact ? "ffmpeg" : LIBAVFORMAT_IDENT;
-    unsigned int len;
+    int64_t len;
     uint8_t *p, *p0;
 
     ff_metadata_conv(m, ff_vorbiscomment_metadata_conv, NULL);
 
     len = ff_vorbiscomment_length(*m, vendor);
+    if (len >= ((1<<24) - 4))
+        return AVERROR(EINVAL);
     p0 = av_malloc(len+4);
     if (!p0)
         return AVERROR(ENOMEM);