generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

4xm: validate the buffer size before parsing it

Browse Source 
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit de2e5777e225e75813daf2373c95e223651fd89a)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
Luca Barbato 2013-06-07 16:16:46 +02:00
parent 53c76b6803
commit cd9b0bb07a
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
libavcodec/4xm.c
View File

@ -382,6 +382,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset; unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;
if(f->version>1){ if(f->version>1){
if (length < 20)
return AVERROR_INVALIDDATA;
extra=20; extra=20;
bitstream_size= AV_RL32(buf+8); bitstream_size= AV_RL32(buf+8);
wordstream_size= AV_RL32(buf+12); wordstream_size= AV_RL32(buf+12);
@ -734,18 +736,28 @@ static int decode_frame(AVCodecContext *avctx,
AVFrame *p, temp; AVFrame *p, temp;
int i, frame_4cc, frame_size; int i, frame_4cc, frame_size;
frame_4cc= AV_RL32(buf); if (buf_size < 20)
if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){ return AVERROR_INVALIDDATA;
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
if (buf_size < AV_RL32(buf + 4) + 8) {
av_log(f->avctx, AV_LOG_ERROR,
"size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
} }
frame_4cc = AV_RL32(buf);
if(frame_4cc == AV_RL32("cfrm")){ if(frame_4cc == AV_RL32("cfrm")){
int free_index=-1; int free_index=-1;
const int data_size= buf_size - 20; int id, whole_size;
const int id= AV_RL32(buf+12); const int data_size = buf_size - 20;
const int whole_size= AV_RL32(buf+16);
CFrameBuffer *cfrm; CFrameBuffer *cfrm;
if (data_size < 0)
return AVERROR_INVALIDDATA;
id = AV_RL32(buf + 12);
whole_size = AV_RL32(buf + 16);
for(i=0; i<CFRAME_BUFFER_COUNT; i++){ for(i=0; i<CFRAME_BUFFER_COUNT; i++){
if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number) if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id); av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);