diff options
author | Reinhard Tartler <siretart@tauware.de> | 2010-02-11 21:03:30 +0000 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2010-02-11 21:03:30 +0000 |
commit | 9593c80062e97b819a016dc36b6060d29667efaf (patch) | |
tree | 22437c15e3ed5328a51703ce228d3bbb8d2db062 | |
parent | 48b98cdc677370b8251b0491820ce695b7d76a23 (diff) | |
download | ffmpeg-9593c80062e97b819a016dc36b6060d29667efaf.tar.gz |
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.
backport r21426 by reimar
Originally committed as revision 21759 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
-rw-r--r-- | libavcodec/mlpdec.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 99754b329c..f1668afea0 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -878,7 +878,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size, length = (AV_RB16(buf) & 0xfff) * 2; - if (length > buf_size) + if (length < 4 || length > buf_size) return -1; init_get_bits(&gb, (buf + 4), (length - 4) * 8); |