4xm: check bitstream_size boundary before using it

Prevent buffer overread. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 59d7bb99b6a963b7e11c637228b2203adf535eee) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/4xm.c
2013-06-10 16:37:43 +02:00 · 2013-06-10 16:37:43 +02:00 · 6a4f1e784e
commit 6a4f1e784e
parent e5679444fd
1 changed files with 3 additions and 1 deletions
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@ -663,6 +663,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
    unsigned int prestream_size;
    const uint8_t *prestream;

+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
    if (length < bitstream_size + 12) {
        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
        return AVERROR_INVALIDDATA;
@ -673,7 +676,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
    prestream      = buf + bitstream_size + 12;

    if(prestream_size + bitstream_size + 12 != length
-       || bitstream_size > (1<<26)
       || prestream_size > (1<<26)){
        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
        return -1;