Browse code
4xm: Add a check in decode_i_frame to prevent buffer overreads
Fixes bugzilla #135
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Shitiz Garg authored on 2011/12/14 21:59:21Showing 1 changed files
| ... | ... |
@@ -658,9 +658,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
|
| 658 | 658 |
uint16_t *dst= (uint16_t*)f->current_picture.data[0]; |
| 659 | 659 |
const int stride= f->current_picture.linesize[0]>>1; |
| 660 | 660 |
const unsigned int bitstream_size= AV_RL32(buf); |
| 661 |
- const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); |
|
| 662 |
- unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); |
|
| 663 |
- const uint8_t *prestream= buf + bitstream_size + 12; |
|
| 661 |
+ int token_count av_unused; |
|
| 662 |
+ unsigned int prestream_size; |
|
| 663 |
+ const uint8_t *prestream; |
|
| 664 |
+ |
|
| 665 |
+ if (length < bitstream_size + 12) {
|
|
| 666 |
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); |
|
| 667 |
+ return AVERROR_INVALIDDATA; |
|
| 668 |
+ } |
|
| 669 |
+ |
|
| 670 |
+ token_count = AV_RL32(buf + bitstream_size + 8); |
|
| 671 |
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); |
|
| 672 |
+ prestream = buf + bitstream_size + 12; |
|
| 664 | 673 |
|
| 665 | 674 |
if(prestream_size + bitstream_size + 12 != length |
| 666 | 675 |
|| bitstream_size > (1<<26) |