summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorShitiz Garg <mail@dragooon.net>2011-12-14 18:29:21 +0530
committerReinhard Tartler <siretart@tauware.de>2011-12-24 15:47:57 +0100
commitccd2ca02463df0d9e5246758676b0ca52fcc2fb8 (patch)
treeb7427ea82a97f0a3f579929834a9c200af92cd8f
parent92b964969b228799fded70827d8b78044aff5019 (diff)
downloadffmpeg-ccd2ca02463df0d9e5246758676b0ca52fcc2fb8.tar.gz
4xm: Add a check in decode_i_frame to prevent buffer overreads
Fixes bugzilla #135 Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat
-rw-r--r--libavcodec/4xm.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 219850302c..f6e50e9d5c 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -641,9 +641,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
const unsigned int bitstream_size= AV_RL32(buf);
- const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
- unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
- const uint8_t *prestream= buf + bitstream_size + 12;
+ int token_count av_unused;
+ unsigned int prestream_size;
+ const uint8_t *prestream;
+
+ if (length < bitstream_size + 12) {
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ token_count = AV_RL32(buf + bitstream_size + 8);
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
+ prestream = buf + bitstream_size + 12;
if(prestream_size + bitstream_size + 12 != length
|| bitstream_size > (1<<26)
View Lorry Controller Status