On 5 January 2012 22:15, Janne Grunau <[email protected]> wrote: > Prevents null ptr derefence for negative sizes. > --- > libavcodec/truemotion2.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c > index 8d72bb6..4045342 100644 > --- a/libavcodec/truemotion2.c > +++ b/libavcodec/truemotion2.c > @@ -272,6 +272,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t > *buf, int stream_id, i > len = AV_RB32(buf); buf += 4; cur += 4; > } > if(len > 0) { > + if (skip <= cur) > + return -1; > init_get_bits(&ctx->gb, buf, (skip - cur) * 8); > if(tm2_read_deltas(ctx, stream_id) == -1) > return -1; > @@ -286,6 +288,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t > *buf, int stream_id, i > buf += 4; cur += 4; > buf += 4; cur += 4; /* unused by decoder */ > > + if (skip <= cur) > + return -1; > init_get_bits(&ctx->gb, buf, (skip - cur) * 8); > if(tm2_build_huff_table(ctx, &codes) == -1) > return -1; > @@ -303,6 +307,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t > *buf, int stream_id, i > ctx->tok_lens[stream_id] = toks; > len = AV_RB32(buf); buf += 4; cur += 4; > if(len > 0) { > + if (skip <= cur) > + return -1; > init_get_bits(&ctx->gb, buf, (skip - cur) * 8); > for(i = 0; i < toks; i++) { > if (get_bits_left(&ctx->gb) <= 0) { > --
looks OK _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
