aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2013-01-07 21:31:40 +0100
committerMichael Niedermayer <michaelni@gmx.at>2013-01-07 21:35:52 +0100
commit0780fe27404c24d58bf9b2a3b928d885772bc702 (patch)
treeacf027fcbb126d8c812a54066510d49eb4d399d7
parentf65daf577af25df69f3b43a49879158d2f77f3f8 (diff)
downloadffmpeg-0780fe27404c24d58bf9b2a3b928d885772bc702.tar.gz
rmdec: Limit videobufsize to remaining amount of data
Fixes excessive memory allocation Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavformat/rmdec.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 3b476ff93c..ee1e0ff30a 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -25,6 +25,7 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/dict.h"
#include "avformat.h"
+#include "avio_internal.h"
#include "internal.h"
#include "rmsipr.h"
#include "rm.h"
@@ -696,6 +697,10 @@ static int rm_assemble_video_frame(AVFormatContext *s, AVIOContext *pb,
*pseq = seq;
if((seq & 0x7F) == 1 || vst->curpic_num != pic_num){
+ if (len2 > ffio_limit(pb, len2)) {
+ av_log(s, AV_LOG_ERROR, "Impossibly sized packet\n");
+ return AVERROR_INVALIDDATA;
+ }
vst->slices = ((hdr & 0x3F) << 1) + 1;
vst->videobufsize = len2 + 8*vst->slices + 1;
av_free_packet(&vst->pkt); //FIXME this should be output.