generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

4xm: check bitstream_size boundary before using it

Browse Source 
Prevent buffer overread.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 59d7bb99b6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Luca Barbato
2013-06-10 16:37:43 +02:00
committed by Reinhard Tartler
parent 5c54fc6195
commit 04c29196ad
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/4xm.c
View File

@@ -733,6 +733,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length)
unsigned int prestream_size; unsigned int prestream_size;
const uint8_t *prestream; const uint8_t *prestream;
if (bitstream_size > (1 << 26))
return AVERROR_INVALIDDATA;
if (length < bitstream_size + 12) { if (length < bitstream_size + 12) {
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
@@ -743,7 +746,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length)
prestream = buf + bitstream_size + 12; prestream = buf + bitstream_size + 12;
if (prestream_size + bitstream_size + 12 != length if (prestream_size + bitstream_size + 12 != length
|| bitstream_size > (1 << 26)
|| prestream_size > (1 << 26)) { || prestream_size > (1 << 26)) {
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n",
prestream_size, bitstream_size, length); prestream_size, bitstream_size, length);