diff options
| author | Janne Grunau <janne-libav@jannau.net> | 2012-01-05 21:28:03 +0100 |
|---|---|---|
| committer | Janne Grunau <janne-libav@jannau.net> | 2012-01-05 23:19:13 +0100 |
| commit | 696ace50ea91a65dff887aaf5296f42a2fbc8f6c (patch) | |
| tree | c2dd182134749d3bec124f2ee4a5aeb8b7cc91a1 | |
| parent | acb074301c8612dfd5f135a0513bbe93a2dc51d1 (diff) | |
| download | ffmpeg-696ace50ea91a65dff887aaf5296f42a2fbc8f6c.tar.gz | |
truemotion2: check size before GetBitContext initialisation
Prevents null ptr derefence for negative sizes.
| -rw-r--r-- | libavcodec/truemotion2.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 8d72bb6df0..4045342ffa 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -272,6 +272,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i len = AV_RB32(buf); buf += 4; cur += 4; } if(len > 0) { + if (skip <= cur) + return -1; init_get_bits(&ctx->gb, buf, (skip - cur) * 8); if(tm2_read_deltas(ctx, stream_id) == -1) return -1; @@ -286,6 +288,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i buf += 4; cur += 4; buf += 4; cur += 4; /* unused by decoder */ + if (skip <= cur) + return -1; init_get_bits(&ctx->gb, buf, (skip - cur) * 8); if(tm2_build_huff_table(ctx, &codes) == -1) return -1; @@ -303,6 +307,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i ctx->tok_lens[stream_id] = toks; len = AV_RB32(buf); buf += 4; cur += 4; if(len > 0) { + if (skip <= cur) + return -1; init_get_bits(&ctx->gb, buf, (skip - cur) * 8); for(i = 0; i < toks; i++) { if (get_bits_left(&ctx->gb) <= 0) { |