avformat/cdxl: Fix integer overflow of image_size
authorMichael Niedermayer <michaelni@gmx.at>
Wed, 31 Dec 2014 20:41:46 +0000 (21:41 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 9 Jan 2015 16:19:09 +0000 (17:19 +0100)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3eb5cbe0c50d0a0bbe10bcabbd6b16d73d93c128)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/cdxl.c

index e3e379a..6d8e750 100644 (file)
@@ -127,6 +127,8 @@ static int cdxl_read_packet(AVFormatContext *s, AVPacket *pkt)
     height       = AV_RB16(&cdxl->header[16]);
     palette_size = AV_RB16(&cdxl->header[20]);
     audio_size   = AV_RB16(&cdxl->header[22]);
+    if (FFALIGN(width, 16) * (uint64_t)height * cdxl->header[19] > INT_MAX)
+        return AVERROR_INVALIDDATA;
     image_size   = FFALIGN(width, 16) * height * cdxl->header[19] / 8;
     video_size   = palette_size + image_size;