aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuca Barbato <lu_zero@gentoo.org>2013-06-07 16:16:46 +0200
committerLuca Barbato <lu_zero@gentoo.org>2013-06-12 14:45:46 +0200
commitde2e5777e225e75813daf2373c95e223651fd89a (patch)
tree261db4bf89ccb43ce462fa78192792f170d0d231
parent145023f57262d21474e35b4a6069cf95136339d4 (diff)
downloadffmpeg-de2e5777e225e75813daf2373c95e223651fd89a.tar.gz
4xm: validate the buffer size before parsing it
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
-rw-r--r--libavcodec/4xm.c21
1 files changed, 17 insertions, 4 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 3d8906bffe..2b8155cc8a 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -418,6 +418,8 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame,
src = (uint16_t *)f->last_picture->data[0];
if (f->version > 1) {
+ if (length < 20)
+ return AVERROR_INVALIDDATA;
extra = 20;
bitstream_size = AV_RL32(buf + 8);
wordstream_size = AV_RL32(buf + 12);
@@ -788,18 +790,29 @@ static int decode_frame(AVCodecContext *avctx, void *data,
AVFrame *picture = data;
int i, frame_4cc, frame_size, ret;
- frame_4cc = AV_RL32(buf);
- if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20)
+ if (buf_size < 20)
+ return AVERROR_INVALIDDATA;
+
+ if (buf_size < AV_RL32(buf + 4) + 8) {
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n",
buf_size, AV_RL32(buf + 4));
+ return AVERROR_INVALIDDATA;
+ }
+
+ frame_4cc = AV_RL32(buf);
if (frame_4cc == AV_RL32("cfrm")) {
int free_index = -1;
+ int id, whole_size;
const int data_size = buf_size - 20;
- const int id = AV_RL32(buf + 12);
- const int whole_size = AV_RL32(buf + 16);
CFrameBuffer *cfrm;
+ if (data_size < 0)
+ return AVERROR_INVALIDDATA;
+
+ id = AV_RL32(buf + 12);
+ whole_size = AV_RL32(buf + 16);
+
for (i = 0; i < CFRAME_BUFFER_COUNT; i++)
if (f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n",