[libav-devel] [PATCH] indeo3: check per-plane data buffer against input buffer bounds.

Aneesh Dogra Mon, 28 Nov 2011 22:19:11 -0800

Fixes: http://bugzilla.libav.org/show_bug.cgi?id=102
---
 libavcodec/indeo3.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)


diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 4f3cb36..9eca4dc 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -804,8 +804,10 @@ static int decode_plane(Indeo3DecodeContext *ctx, 
AVCodecContext *avctx,
     num_vectors = bytestream_get_le32(&data);
     ctx->mc_vectors  = num_vectors ? data : 0;
 
+    if (num_vectors * 2 >= data_size)
+        return AVERROR_INVALIDDATA;
     /* init the bitreader */
-    init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3);
+    init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size-num_vectors*2 << 
3);
     ctx->skip_bits   = 0;
     ctx->need_resync = 0;
 
-- 
1.7.4.1

_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel

[libav-devel] [PATCH] indeo3: check per-plane data buffer against input buffer bounds.

Reply via email to