diff options
| author | Federico Tomassetti <federico@tomassetti.me> | 2015-08-13 15:35:53 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2015-08-16 19:02:16 +0200 |
| commit | 7bf9647264308d2df74b2b50669f2d02a7ecc90b (patch) | |
| tree | 37f739fbf7226630979ebdf81a1b9e25f161a24a | |
| parent | f34b152eb7b7e8d2aee57c710a072cf74173fbe1 (diff) | |
| download | ffmpeg-7bf9647264308d2df74b2b50669f2d02a7ecc90b.tar.gz | |
vp7: bound checking in vp7_decode_frame_header
CC: libav-stable@libav.org
| -rw-r--r-- | libavcodec/vp8.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index f11076a6ed..55ebae69fd 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -480,6 +480,10 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si int width = s->avctx->width; int height = s->avctx->height; + if (buf_size < 4) { + return AVERROR_INVALIDDATA; + } + s->profile = (buf[0] >> 1) & 7; if (s->profile > 1) { avpriv_request_sample(s->avctx, "Unknown profile %d", s->profile); @@ -493,6 +497,10 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si buf += 4 - s->profile; buf_size -= 4 - s->profile; + if (buf_size < part1_size) { + return AVERROR_INVALIDDATA; + } + memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); ff_vp56_init_range_decoder(c, buf, part1_size); |