Check unp_size for possible overflows too

author Kostya Shishkov <kostya.shishkov@gmail.com>

Fri, 14 Sep 2007 06:01:29 +0000 (06:01 +0000)

committer Kostya Shishkov <kostya.shishkov@gmail.com>

Fri, 14 Sep 2007 06:01:29 +0000 (06:01 +0000)
author Kostya Shishkov <kostya.shishkov@gmail.com>
Fri, 14 Sep 2007 06:01:29 +0000 (06:01 +0000)
committer Kostya Shishkov <kostya.shishkov@gmail.com>
Fri, 14 Sep 2007 06:01:29 +0000 (06:01 +0000)
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c

index e185f4d..614f301 100644 (file)
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -590,7 +590,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
      }
      stereo = get_bits1(&gb);
      bits = get_bits1(&gb);
-    if ((unp_size << !bits) > *data_size) {
+    if (unp_size & 0xC0000000 || (unp_size << !bits) > *data_size) {
          av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
          return -1;
      }
author	Kostya Shishkov <kostya.shishkov@gmail.com>
	Fri, 14 Sep 2007 06:01:29 +0000 (06:01 +0000)
committer	Kostya Shishkov <kostya.shishkov@gmail.com>
	Fri, 14 Sep 2007 06:01:29 +0000 (06:01 +0000)