generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

cdgraphics: switch to bytestream2

Browse Source 
Fixes possible invalid memory accesses on corrupted data.

CC:libav-stable@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7e)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
Anton Khirnov
2014-08-06 10:46:50 +00:00
parent c53effc41b
commit 8cd67ddde4
1 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
libavcodec/cdgraphics.c
View File

@@ -269,7 +269,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
static int cdg_decode_frame(AVCodecContext *avctx,
void *data, int *got_frame, AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
GetByteContext gb;
int buf_size = avpkt->size;
int ret;
uint8_t command, inst;
@@ -277,10 +277,8 @@ static int cdg_decode_frame(AVCodecContext *avctx,
AVFrame new_frame;
CDGraphicsContext *cc = avctx->priv_data;
if (buf_size < CDG_MINIMUM_PKT_SIZE) {
av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
return AVERROR(EINVAL);
}
bytestream2_init(&gb, avpkt->data, avpkt->size);
ret = avctx->reget_buffer(avctx, &cc->frame);
if (ret) {
@@ -288,11 +286,11 @@ static int cdg_decode_frame(AVCodecContext *avctx,
return ret;
}
command = bytestream_get_byte(&buf);
inst = bytestream_get_byte(&buf);
command = bytestream2_get_byte(&gb);
inst = bytestream2_get_byte(&gb);
inst &= CDG_MASK;
buf += 2; /// skipping 2 unneeded bytes
bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
bytestream2_skip(&gb, 2);
bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));
if ((command & CDG_MASK) == CDG_COMMAND) {
switch (inst) {