Browse code
Prevent a crash by sanity checking buffer reads.
Patch by Daniel Kang, daniel.d.kang at gmail
Originally committed as revision 26251 to svn://svn.ffmpeg.org/ffmpeg/trunk
Daniel Kang authored on 2011/01/07 08:14:27Showing 1 changed files
| ... | ... |
@@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext * avctx) |
| 47 | 47 |
static int bfi_decode_frame(AVCodecContext * avctx, void *data, |
| 48 | 48 |
int *data_size, AVPacket *avpkt) |
| 49 | 49 |
{
|
| 50 |
- const uint8_t *buf = avpkt->data; |
|
| 50 |
+ const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size; |
|
| 51 | 51 |
int buf_size = avpkt->size; |
| 52 | 52 |
BFIContext *bfi = avctx->priv_data; |
| 53 | 53 |
uint8_t *dst = bfi->dst; |
| ... | ... |
@@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data, |
| 99 | 99 |
unsigned int code = byte >> 6; |
| 100 | 100 |
unsigned int length = byte & ~0xC0; |
| 101 | 101 |
|
| 102 |
+ if (buf >= buf_end) {
|
|
| 103 |
+ av_log(avctx, AV_LOG_ERROR, "Input resolution larger than actual frame.\n"); |
|
| 104 |
+ return -1; |
|
| 105 |
+ } |
|
| 106 |
+ |
|
| 102 | 107 |
/* Get length and offset(if required) */ |
| 103 | 108 |
if (length == 0) {
|
| 104 | 109 |
if (code == 1) {
|
| ... | ... |
@@ -121,6 +126,10 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data, |
| 121 | 121 |
switch (code) {
|
| 122 | 122 |
|
| 123 | 123 |
case 0: //Normal Chain |
| 124 |
+ if (length >= buf_end - buf) {
|
|
| 125 |
+ av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n"); |
|
| 126 |
+ return -1; |
|
| 127 |
+ } |
|
| 124 | 128 |
bytestream_get_buffer(&buf, dst, length); |
| 125 | 129 |
dst += length; |
| 126 | 130 |
break; |