aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReinhard Tartler <siretart@tauware.de>2010-02-11 21:03:30 +0000
committerReinhard Tartler <siretart@tauware.de>2010-02-11 21:03:30 +0000
commit9593c80062e97b819a016dc36b6060d29667efaf (patch)
tree22437c15e3ed5328a51703ce228d3bbb8d2db062
parent48b98cdc677370b8251b0491820ce695b7d76a23 (diff)
downloadffmpeg-9593c80062e97b819a016dc36b6060d29667efaf.tar.gz
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a NULL-dereference directly after. backport r21426 by reimar Originally committed as revision 21759 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
-rw-r--r--libavcodec/mlpdec.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 99754b329c..f1668afea0 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -878,7 +878,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
length = (AV_RB16(buf) & 0xfff) * 2;
- if (length > buf_size)
+ if (length < 4 || length > buf_size)
return -1;
init_get_bits(&gb, (buf + 4), (length - 4) * 8);