zmbvdec: Check the buffer size for uncompressed data

Also don't pointlessly set the buffer size to 1 after copying one packet. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org Signed-off-by: Martin Storsjö <martin@martin.st> (cherry picked from commit 0d61f260010707f3028b818e8b24598e1a83d696) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Michael Niedermayer <michaelni@gmx.at> 2012-11-11 18:08:39 +0100
committer: Luca Barbato <lu_zero@gentoo.org> 2013-10-03 20:29:33 +0200
commit: 9e505065b55f9b252d9faa9700f911c6a655a543 (patch)
tree: 95a05a644bfec691121f62e10b33faf6bd5d5917
parent: eba112b4e3313e31f64e93bc878785822a55943e (diff)
download: ffmpeg-9e505065b55f9b252d9faa9700f911c6a655a543.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index c92e553f6d..c7a90f0def 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -508,8 +508,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
     }
 
     if (c->comp == 0) { //Uncompressed data
+        if (c->decomp_size < len) {
+            av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
+            return AVERROR_INVALIDDATA;
+        }
         memcpy(c->decomp_buf, buf, len);
-        c->decomp_size = 1;
     } else { // ZLIB-compressed data
         c->zstream.total_in = c->zstream.total_out = 0;
         c->zstream.next_in = buf;
author	Michael Niedermayer <michaelni@gmx.at>	2012-11-11 18:08:39 +0100
committer	Luca Barbato <lu_zero@gentoo.org>	2013-10-03 20:29:33 +0200
commit	9e505065b55f9b252d9faa9700f911c6a655a543 (patch)
tree	95a05a644bfec691121f62e10b33faf6bd5d5917
parent	eba112b4e3313e31f64e93bc878785822a55943e (diff)
download	ffmpeg-9e505065b55f9b252d9faa9700f911c6a655a543.tar.gz