generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

avcodec/flashsv: Check size before updating it

Browse Source 
Fixes out of array read
Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2015-11-14 13:34:02 +01:00
parent e04126072e
commit 17705f5d4f
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/flashsv.c
View File

@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
} }
if (has_diff) { if (has_diff) {
if (size < 3) {
av_log(avctx, AV_LOG_ERROR, "size too small for diff\n");
return AVERROR_INVALIDDATA;
}
if (!s->keyframe) { if (!s->keyframe) {
av_log(avctx, AV_LOG_ERROR, av_log(avctx, AV_LOG_ERROR,
"Inter frame without keyframe\n"); "Inter frame without keyframe\n");
@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
int row = get_bits(&gb, 8); int row = get_bits(&gb, 8);
av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n", av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n",
i, j, col, row); i, j, col, row);
if (size < 3) {
av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n");
return AVERROR_INVALIDDATA;
}
size -= 2; size -= 2;
avpriv_request_sample(avctx, "zlibprime_curr"); avpriv_request_sample(avctx, "zlibprime_curr");
return AVERROR_PATCHWELCOME; return AVERROR_PATCHWELCOME;