Am 29.11.2011 05:24, schrieb Ronald S. Bultje: > Hi, > > On Mon, Nov 28, 2011 at 12:58 PM, Aneesh Dogra <[email protected]> wrote: >> Fixes: http://bugzilla.libav.org/show_bug.cgi?id=102 >> --- >> libavcodec/indeo3.c | 2 ++ >> 1 files changed, 2 insertions(+), 0 deletions(-) >> >> diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c >> index 1d8f694..596cd27 100644 >> --- a/libavcodec/indeo3.c >> +++ b/libavcodec/indeo3.c >> @@ -804,6 +804,8 @@ static int decode_plane(Indeo3DecodeContext *ctx, >> AVCodecContext *avctx, >> num_vectors = bytestream_get_le32(&data); >> ctx->mc_vectors = num_vectors ? data : 0; >> >> + if (num_vectors * 2 >= data_size) >> + return AVERROR_INVALIDDATA; >> /* init the bitreader */ >> init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3); >> ctx->skip_bits = 0; > This leads to the question whether data_size << 3 is really the proper > size for this buffer. In reality, it's (data_size - num_vectors * 2) > << 3. > > Fixing this will allow doing things like get_bits_left() further down > in the stack to prevent more subtle buffer overreads.
Yes. That's absolutely correct. A proper fix would be very appreciated! Best regards Maxim _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
