GitList

Browse code

avcodec/vmdvideo: Check len before using it in method 3

Fixes out of array access
Fixes: asan_heap-oob_4d23ba_91_cov_3853393937_128.vmd

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3030fb7e0d41836f8add6399e9a7c7b740b48bfd)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Michael Niedermayer authored on 2014/12/17 00:24:55
Showing 1 changed files

libavcodec/vmdav.c index c1fb80b..91d245a 100644

libavcodec/vmdav.c

History View file @ 7279be7

@@ -352,6 +352,9 @@ static int vmd_decode(VmdVideoContext *s, AVFrame *frame)
                                              ofs += slen;
                                              bytestream2_skip(&gb, len);
                                          } else {
                     +                        if (ofs + len > frame_width ||
                     +                            bytestream2_get_bytes_left(&gb) < len)
                     +                            return AVERROR_INVALIDDATA;
                                              bytestream2_get_buffer(&gb, &dp[ofs], len);
                                              ofs += len;
+                                         }