Hi, On Mon, Nov 28, 2011 at 12:58 PM, Aneesh Dogra <[email protected]> wrote: > Fixes: http://bugzilla.libav.org/show_bug.cgi?id=102 > --- > libavcodec/indeo3.c | 2 ++ > 1 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c > index 1d8f694..596cd27 100644 > --- a/libavcodec/indeo3.c > +++ b/libavcodec/indeo3.c > @@ -804,6 +804,8 @@ static int decode_plane(Indeo3DecodeContext *ctx, > AVCodecContext *avctx, > num_vectors = bytestream_get_le32(&data); > ctx->mc_vectors = num_vectors ? data : 0; > > + if (num_vectors * 2 >= data_size) > + return AVERROR_INVALIDDATA; > /* init the bitreader */ > init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3); > ctx->skip_bits = 0;
This leads to the question whether data_size << 3 is really the proper size for this buffer. In reality, it's (data_size - num_vectors * 2) << 3. Fixing this will allow doing things like get_bits_left() further down in the stack to prevent more subtle buffer overreads. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
