Module: libav Branch: release/0.7 Commit: d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1
Author: Shitiz Garg <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Wed Dec 14 18:47:21 2011 +0530 4xm: Add a check in decode_i_frame to prevent buffer overreads Fixes bugzilla #135 Signed-off-by: Janne Grunau <[email protected]> (cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84) Signed-off-by: Reinhard Tartler <[email protected]> --- libavcodec/4xm.c | 15 ++++++++++++--- 1 files changed, 12 insertions(+), 3 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 176feb9..ed83259 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -658,9 +658,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; const unsigned int bitstream_size= AV_RL32(buf); - const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); - unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); - const uint8_t *prestream= buf + bitstream_size + 12; + int token_count av_unused; + unsigned int prestream_size; + const uint8_t *prestream; + + if (length < bitstream_size + 12) { + av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); + return AVERROR_INVALIDDATA; + } + + token_count = AV_RL32(buf + bitstream_size + 8); + prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); + prestream = buf + bitstream_size + 12; if(prestream_size + bitstream_size + 12 != length || bitstream_size > (1<<26) _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
