generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

4xm: Add a check in decode_i_frame to prevent buffer overreads

Browse Source 
Fixes bugzilla #135

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Shitiz Garg 2011-12-14 18:29:21 +05:30 committed by Reinhard Tartler
parent 92b964969b
commit ccd2ca0246
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
libavcodec/4xm.c
View File

@ -641,9 +641,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
const unsigned int bitstream_size= AV_RL32(buf);
const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
const uint8_t *prestream= buf + bitstream_size + 12;
int token_count av_unused;
unsigned int prestream_size;
const uint8_t *prestream;
if (length < bitstream_size + 12) {
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
return AVERROR_INVALIDDATA;
}
token_count = AV_RL32(buf + bitstream_size + 8);
prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
prestream = buf + bitstream_size + 12;
if(prestream_size + bitstream_size + 12 != length
|| bitstream_size > (1<<26)