dv: check buffer size before reading profile.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit e97efecec82ca8458a9bbd75a91ebf556abde362) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-07 13:48:41 -0800
committer: Reinhard Tartler <siretart@tauware.de> 2012-03-13 23:30:21 +0100
commit: 74871ac70ae387470a5da469157050cb2d3ed36f (patch)
tree: 9f6e977be5b06b781d2a51a53186df454fa4efed
parent: 9cb7f6e54a426e132396548a745cb32ff825b1fa (diff)
download: ffmpeg-74871ac70ae387470a5da469157050cb2d3ed36f.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c
index 3a135a9ac7..62e569c576 100644
--- a/libavcodec/dvdata.c
+++ b/libavcodec/dvdata.c
@@ -248,11 +248,13 @@ static const DVprofile dv_profiles[] = {
 const DVprofile* avpriv_dv_frame_profile(const DVprofile *sys,
                                   const uint8_t* frame, unsigned buf_size)
 {
-   int i;
+   int i, dsf, stype;
 
-   int dsf = (frame[3] & 0x80) >> 7;
+    if (buf_size < 80*5 + 48 + 4)
+        return NULL;
 
-   int stype = frame[80*5 + 48 + 3] & 0x1f;
+   dsf = (frame[3] & 0x80) >> 7;
+   stype = frame[80*5 + 48 + 3] & 0x1f;
 
    /* 576i50 25Mbps 4:1:1 is a special case */
    if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-07 13:48:41 -0800
committer	Reinhard Tartler <siretart@tauware.de>	2012-03-13 23:30:21 +0100
commit	74871ac70ae387470a5da469157050cb2d3ed36f (patch)
tree	9f6e977be5b06b781d2a51a53186df454fa4efed
parent	9cb7f6e54a426e132396548a745cb32ff825b1fa (diff)
download	ffmpeg-74871ac70ae387470a5da469157050cb2d3ed36f.tar.gz