generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

vmnc: Check the cursor dimensions

Browse Source 
And manage the reallocation failure path.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Luca Barbato 2013-10-09 05:51:20 +02:00
parent 61cd19b8bc
commit 5e992a4682
1 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
libavcodec/vmnc.c
View File

@ -301,6 +301,14 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb,
return 0; return 0;
} }
static void reset_buffers(VmncContext *c)
{
av_freep(&c->curbits);
av_freep(&c->curmask);
av_freep(&c->screendta);
c->cur_w = c->cur_h = 0;
}
static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
AVPacket *avpkt) AVPacket *avpkt)
{ {
@ -379,9 +387,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
c->cur_hx, c->cur_hy, c->cur_w, c->cur_h); c->cur_hx, c->cur_hy, c->cur_w, c->cur_h);
c->cur_hx = c->cur_hy = 0; c->cur_hx = c->cur_hy = 0;
} }
c->curbits = av_realloc(c->curbits, c->cur_w * c->cur_h * c->bpp2); if (c->cur_w * c->cur_h >= INT_MAX / c->bpp2) {
c->curmask = av_realloc(c->curmask, c->cur_w * c->cur_h * c->bpp2); reset_buffers(c);
c->screendta = av_realloc(c->screendta, c->cur_w * c->cur_h * c->bpp2); return AVERROR(EINVAL);
} else {
int screen_size = c->cur_w * c->cur_h * c->bpp2;
if ((ret = av_reallocp(&c->curbits, screen_size)) < 0 ||
(ret = av_reallocp(&c->curmask, screen_size)) < 0 ||
(ret = av_reallocp(&c->screendta, screen_size)) < 0) {
reset_buffers(c);
return ret;
}
}
load_cursor(c); load_cursor(c);
break; break;
case MAGIC_WMVe: // unknown case MAGIC_WMVe: // unknown