diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2013-06-07 16:18:22 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-09-29 22:37:06 +0200 |
| commit | 12dc01bb1f07112cd7eb31e183d75cb3c0fb92ca (patch) | |
| tree | 2b46fb47002b917683ad3292a74e2cae6f3356cb | |
| parent | cd9b0bb07a66d3299bd62922e9dfa742219abe79 (diff) | |
| download | ffmpeg-12dc01bb1f07112cd7eb31e183d75cb3c0fb92ca.tar.gz | |
4xm: do not overread the prestream buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit be373cb50d3c411366fec7eef2eb3681abe48f96)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavcodec/4xm.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 52c16cfd77..3d026febe3 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -535,7 +535,10 @@ static int decode_i_mb(FourXContext *f){ return 0; } -static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){ +static const uint8_t *read_huffman_tables(FourXContext *f, + const uint8_t * const buf, + int len) +{ int frequency[512]; uint8_t flag[512]; int up[512]; @@ -553,12 +556,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const for(;;){ int i; + len -= end - start + 1; + + if (end < start || len < 0) + return NULL; + for(i=start; i<=end; i++){ frequency[i]= *ptr++; } start= *ptr++; if(start==0) break; + if (--len < 0) + return NULL; + end= *ptr++; } frequency[256]=1; @@ -691,7 +702,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ return -1; } - prestream = read_huffman_tables(f, prestream); + prestream = read_huffman_tables(f, prestream, prestream_size); if (!prestream) { av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); return AVERROR_INVALIDDATA; |