On Thu, Feb 27, 2014 at 07:30:11PM -0500, [email protected] wrote: > From: Michael Niedermayer <[email protected]> > > Sample file available from https://trac.ffmpeg.org/ticket/2842 > > Adresses: CVE-2013-4264 > CC: [email protected] > Signed-off-by: Reinhard Tartler <[email protected]> > --- > libavcodec/g2meet.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c > index 89fafef..eda57f8 100644 > --- a/libavcodec/g2meet.c > +++ b/libavcodec/g2meet.c > @@ -393,7 +393,7 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, > int tile_y, > return 0; > zsize = (src[0] << 8) | src[1]; src += 2; > > - if (src_end - src < zsize) > + if (src_end - src < zsize + (sub_type != 2)) > return AVERROR_INVALIDDATA; > > ret = uncompress(c->kempf_buf, &dlen, src, zsize); > @@ -415,6 +415,8 @@ static int kempf_decode_tile(G2MContext *c, int tile_x, > int tile_y, > for (i = 0; i < (FFALIGN(height, 16) >> 4); i++) { > for (j = 0; j < (FFALIGN(width, 16) >> 4); j++) { > if (!bits) { > + if (src >= src_end) > + return AVERROR_INVALIDDATA; > bitbuf = *src++; > bits = 8; > } > --
It makes more sense to test sub_type=2 related part later and not merge checks. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
