truemotion1: check the header size

Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602)
author: Anton Khirnov <anton@khirnov.net> 2013-11-28 10:54:35 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2014-02-28 23:05:53 -0500
commit: 13fd80837f85f7d33bfb857ce9a3f33455cf4b3d (patch)
tree: 7603afda1fbf3f35356bcfde9157be16130bd831
parent: f1a7bfea41e56067c3bf4864159c87cdda613c19 (diff)
download: ffmpeg-13fd80837f85f7d33bfb857ce9a3f33455cf4b3d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index 63cd05b66c..2421dacbf3 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -322,6 +322,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
         return -1;
     }
 
+    if (header.header_size + 1 > s->size) {
+        av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* unscramble the header bytes with a XOR operation */
     for (i = 1; i < header.header_size; i++)
         header_buffer[i - 1] = s->buf[i] ^ s->buf[i + 1];
author	Anton Khirnov <anton@khirnov.net>	2013-11-28 10:54:35 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2014-02-28 23:05:53 -0500
commit	13fd80837f85f7d33bfb857ce9a3f33455cf4b3d (patch)
tree	7603afda1fbf3f35356bcfde9157be16130bd831
parent	f1a7bfea41e56067c3bf4864159c87cdda613c19 (diff)
download	ffmpeg-13fd80837f85f7d33bfb857ce9a3f33455cf4b3d.tar.gz