4xm: check bitstream_size boundary before using it

Prevent buffer overread. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 59d7bb99b6a963b7e11c637228b2203adf535eee) Signed-off-by: Reinhard Tartler <siretart@tauware.de> Conflicts: libavcodec/4xm.c
author: Luca Barbato <lu_zero@gentoo.org> 2013-06-10 16:37:43 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2013-06-30 16:25:06 +0200
commit: 6a4f1e784e39c82194a485995906d9917d4619b2 (patch)
tree: f44681d9986d9175d9eecf8c191740011d99bf48
parent: e5679444fd60d0b5a32ad4233e65d3a85300a952 (diff)
download: ffmpeg-6a4f1e784e39c82194a485995906d9917d4619b2.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 842e787baa..e9f08c3729 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -663,6 +663,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
     unsigned int prestream_size;
     const uint8_t *prestream;
 
+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
     if (length < bitstream_size + 12) {
         av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
         return AVERROR_INVALIDDATA;
@@ -673,7 +676,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
     prestream      = buf + bitstream_size + 12;
 
     if(prestream_size + bitstream_size + 12 != length
-       || bitstream_size > (1<<26)
        || prestream_size > (1<<26)){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
         return -1;
author	Luca Barbato <lu_zero@gentoo.org>	2013-06-10 16:37:43 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2013-06-30 16:25:06 +0200
commit	6a4f1e784e39c82194a485995906d9917d4619b2 (patch)
tree	f44681d9986d9175d9eecf8c191740011d99bf48
parent	e5679444fd60d0b5a32ad4233e65d3a85300a952 (diff)
download	ffmpeg-6a4f1e784e39c82194a485995906d9917d4619b2.tar.gz