diff options
| author | Laurent Aimar <fenrir@videolan.org> | 2010-03-04 19:10:44 +0000 |
|---|---|---|
| committer | Laurent Aimar <fenrir@videolan.org> | 2010-03-04 19:10:44 +0000 |
| commit | b8fb21e902f83d8bd8dc340a52cadfd64e685774 (patch) | |
| tree | 973b9e4028dbd258873b88e0326e4f1d5db09319 | |
| parent | 1379b58482b477c5fdc99ce6be82a12aec3945a0 (diff) | |
| download | ffmpeg-b8fb21e902f83d8bd8dc340a52cadfd64e685774.tar.gz | |
Fixed buffer overread in flashsv decoder.
Originally committed as revision 22210 to svn://svn.ffmpeg.org/ffmpeg/trunk
| -rw-r--r-- | libavcodec/flashsv.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c index 8870fe63a8..b2bdffe7c9 100644 --- a/libavcodec/flashsv.c +++ b/libavcodec/flashsv.c @@ -113,6 +113,8 @@ static int flashsv_decode_frame(AVCodecContext *avctx, /* no supplementary picture */ if (buf_size == 0) return 0; + if (buf_size < 4) + return -1; init_get_bits(&gb, buf, buf_size * 8); @@ -181,6 +183,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx, /* get the size of the compressed zlib chunk */ int size = get_bits(&gb, 16); + if (8 * size > get_bits_left(&gb)) { + avctx->release_buffer(avctx, &s->frame); + s->frame.data[0] = NULL; + return -1; + } if (size == 0) { /* no change, don't do anything */ |