diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2015-11-14 13:34:02 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2015-12-06 12:40:49 +0100 |
| commit | 52d332b044eb5f10a1346fa77964ae331a0ff7d3 (patch) | |
| tree | b6ab9650eead8be13d4ff13aabeb2a679a9f0a82 | |
| parent | f68ff799eb00ec7f38e983c7fbe60c7ff948e401 (diff) | |
| download | ffmpeg-52d332b044eb5f10a1346fa77964ae331a0ff7d3.tar.gz | |
avcodec/flashsv: Check size before updating it
Fixes out of array read
Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 17705f5d4f57c15f9b9bb9cfcbbb4621fed2fc70)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/flashsv.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 8791a2d750..f777f24e19 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, } if (has_diff) { + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for diff\n"); + return AVERROR_INVALIDDATA; + } if (!s->keyframe) { av_log(avctx, AV_LOG_ERROR, "Inter frame without keyframe\n"); @@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data, int row = get_bits(&gb, 8); av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n", i, j, col, row); + if (size < 3) { + av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n"); + return AVERROR_INVALIDDATA; + } size -= 2; avpriv_request_sample(avctx, "zlibprime_curr"); return AVERROR_PATCHWELCOME; |