"Ronald S. Bultje" <[email protected]> writes: > Hi, > > On Fri, Jul 27, 2012 at 4:21 PM, Derek Buitenhuis > <[email protected]> wrote: >> +static int cllc_decode_frame(AVCodecContext *avctx, void *data, >> + int *data_size, AVPacket *avpkt) > [..] >> + uint8_t *src = avpkt->data; > [..] >> + info_tag = AV_RL32(src); >> + if (info_tag == MKTAG('I', 'N', 'F', 'O')) { >> + info_offset = AV_RL32(src + 4) + 8;
The value read from the bitstream needs to be validated before adding 8, or it could overflow. >> + src += info_offset; >> + av_log(avctx, AV_LOG_DEBUG, "Skipping INFO chunk.\n"); >> + } >> + >> + /* bswap16 the buffer since CLLC's bitreader works in 16-bit WORDS */ >> + ctx->dsp.bswap16_buf((uint16_t *) ctx->swapped_buf, (uint16_t *) src, >> + (avpkt->size - info_offset) / 2); > > Are you sure you don't want to check info_offset to ensure it actually > leads to a greater-than-zero result before continuing? I'm pretty sure > this can crash on malformed streams. Yes, more checks are needed. -- Måns Rullgård [email protected] _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
