From a246cefa75aed2ade315d6d09068aacb6b0fe76b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 24 Sep 2011 18:57:31 +0300
Subject: [PATCH] flvdec: Check for overflow before allocating arrays
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

On allocation, the array length is multiplied by sizeof(int64_t),
this prevents the multiplication from overflowing.

Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavformat/flvdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 474c4d8..ad00c65 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -161,6 +161,9 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
             break;
 
         arraylen = avio_rb32(ioc);
+        if (arraylen >> 28)
+            break;
+
         /*
          * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata
          * for indexing
-- 
2.7.4