diff options
author | Luca Barbato <lu_zero@gentoo.org> | 2013-06-07 16:16:46 +0200 |
---|---|---|
committer | Luca Barbato <lu_zero@gentoo.org> | 2013-06-12 14:45:46 +0200 |
commit | de2e5777e225e75813daf2373c95e223651fd89a (patch) | |
tree | 261db4bf89ccb43ce462fa78192792f170d0d231 | |
parent | 145023f57262d21474e35b4a6069cf95136339d4 (diff) | |
download | ffmpeg-de2e5777e225e75813daf2373c95e223651fd89a.tar.gz |
4xm: validate the buffer size before parsing it
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
-rw-r--r-- | libavcodec/4xm.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 3d8906bffe..2b8155cc8a 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -418,6 +418,8 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame, src = (uint16_t *)f->last_picture->data[0]; if (f->version > 1) { + if (length < 20) + return AVERROR_INVALIDDATA; extra = 20; bitstream_size = AV_RL32(buf + 8); wordstream_size = AV_RL32(buf + 12); @@ -788,18 +790,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, AVFrame *picture = data; int i, frame_4cc, frame_size, ret; - frame_4cc = AV_RL32(buf); - if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20) + if (buf_size < 20) + return AVERROR_INVALIDDATA; + + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); + return AVERROR_INVALIDDATA; + } + + frame_4cc = AV_RL32(buf); if (frame_4cc == AV_RL32("cfrm")) { int free_index = -1; + int id, whole_size; const int data_size = buf_size - 20; - const int id = AV_RL32(buf + 12); - const int whole_size = AV_RL32(buf + 16); CFrameBuffer *cfrm; + if (data_size < 0) + return AVERROR_INVALIDDATA; + + id = AV_RL32(buf + 12); + whole_size = AV_RL32(buf + 16); + for (i = 0; i < CFRAME_BUFFER_COUNT; i++) if (f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number) av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", |