|
@@ -417,8 +417,8 @@ static int hqx_decode_frame(AVCodecContext *avctx, void *data, |
|
|
|
|
|
|
|
|
info_tag = AV_RL32(src); |
|
|
info_tag = AV_RL32(src); |
|
|
if (info_tag == MKTAG('I', 'N', 'F', 'O')) { |
|
|
if (info_tag == MKTAG('I', 'N', 'F', 'O')) { |
|
|
int info_offset = AV_RL32(src + 4); |
|
|
|
|
|
if (info_offset > UINT32_MAX - 8 || info_offset + 8 > avpkt->size) { |
|
|
|
|
|
|
|
|
unsigned info_offset = AV_RL32(src + 4); |
|
|
|
|
|
if (info_offset > INT_MAX || info_offset + 8 > avpkt->size) { |
|
|
av_log(avctx, AV_LOG_ERROR, |
|
|
av_log(avctx, AV_LOG_ERROR, |
|
|
"Invalid INFO header offset: 0x%08"PRIX32" is too large.\n", |
|
|
"Invalid INFO header offset: 0x%08"PRIX32" is too large.\n", |
|
|
info_offset); |
|
|
info_offset); |
|
|