Fixes bugzilla #135
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
... | ... |
@@ -658,9 +658,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ |
658 | 658 |
uint16_t *dst= (uint16_t*)f->current_picture.data[0]; |
659 | 659 |
const int stride= f->current_picture.linesize[0]>>1; |
660 | 660 |
const unsigned int bitstream_size= AV_RL32(buf); |
661 |
- const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); |
|
662 |
- unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); |
|
663 |
- const uint8_t *prestream= buf + bitstream_size + 12; |
|
661 |
+ int token_count av_unused; |
|
662 |
+ unsigned int prestream_size; |
|
663 |
+ const uint8_t *prestream; |
|
664 |
+ |
|
665 |
+ if (length < bitstream_size + 12) { |
|
666 |
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); |
|
667 |
+ return AVERROR_INVALIDDATA; |
|
668 |
+ } |
|
669 |
+ |
|
670 |
+ token_count = AV_RL32(buf + bitstream_size + 8); |
|
671 |
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4); |
|
672 |
+ prestream = buf + bitstream_size + 12; |
|
664 | 673 |
|
665 | 674 |
if(prestream_size + bitstream_size + 12 != length |
666 | 675 |
|| bitstream_size > (1<<26) |