4xm: check bitstream_size boundary before using it
Prevent buffer overread.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 59d7bb99b6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
			
			
This commit is contained in:
		 Luca Barbato
					Luca Barbato
				
			
				
					committed by
					
						 Reinhard Tartler
						Reinhard Tartler
					
				
			
			
				
	
			
			
			 Reinhard Tartler
						Reinhard Tartler
					
				
			
						parent
						
							5c54fc6195
						
					
				
				
					commit
					04c29196ad
				
			| @@ -733,6 +733,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) | ||||
|     unsigned int prestream_size; | ||||
|     const uint8_t *prestream; | ||||
|  | ||||
|     if (bitstream_size > (1 << 26)) | ||||
|         return AVERROR_INVALIDDATA; | ||||
|  | ||||
|     if (length < bitstream_size + 12) { | ||||
|         av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); | ||||
|         return AVERROR_INVALIDDATA; | ||||
| @@ -743,7 +746,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length) | ||||
|     prestream      =             buf + bitstream_size + 12; | ||||
|  | ||||
|     if (prestream_size + bitstream_size + 12 != length | ||||
|         || bitstream_size > (1 << 26) | ||||
|         || prestream_size > (1 << 26)) { | ||||
|         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", | ||||
|                prestream_size, bitstream_size, length); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user