avformat/cdxl: Fix integer overflow of image_size
authorMichael Niedermayer <michaelni@gmx.at>
Wed, 31 Dec 2014 20:41:46 +0000 (21:41 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Wed, 31 Dec 2014 21:33:51 +0000 (22:33 +0100)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/cdxl.c

index 5bdf44b..f198bf5 100644 (file)
@@ -130,6 +130,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
     height       = AV_RB16(&cdxl->header[16]);
     palette_size = AV_RB16(&cdxl->header[20]);
     audio_size   = AV_RB16(&cdxl->header[22]);
+    if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+        return AVERROR_INVALIDDATA;
     image_size   = FFALIGN(width, 16) * height * cdxl->header[19] / 8;
     video_size   = palette_size + image_size;