diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-06-13 13:41:27 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-06-13 13:41:27 +0200 |
| commit | dbddd587e13b9bf718ee0eb0d183be6d8ffb996f (patch) | |
| tree | a8e2f612fb31b20604f9fce298d1c8479a120a98 /libavcodec/4xm.c | |
| parent | f13f4d2b086519c2b0692ae1ff12d81e8ec494f1 (diff) | |
| parent | de2e5777e225e75813daf2373c95e223651fd89a (diff) | |
| download | ffmpeg-dbddd587e13b9bf718ee0eb0d183be6d8ffb996f.tar.gz | |
Merge commit 'de2e5777e225e75813daf2373c95e223651fd89a'
* commit 'de2e5777e225e75813daf2373c95e223651fd89a':
4xm: validate the buffer size before parsing it
Conflicts:
libavcodec/4xm.c
See: 9c661e95
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/4xm.c')
| -rw-r--r-- | libavcodec/4xm.c | 26 |
1 files changed, 16 insertions, 10 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 3b205f2b5f..6a2476dcfd 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -440,7 +440,7 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame, if (f->version > 1) { extra = 20; if (length < extra) - return -1; + return AVERROR_INVALIDDATA; bitstream_size = AV_RL32(buf + 8); wordstream_size = AV_RL32(buf + 12); bytestream_size = AV_RL32(buf + 16); @@ -827,27 +827,33 @@ static int decode_frame(AVCodecContext *avctx, void *data, AVFrame *picture = data; int i, frame_4cc, frame_size, ret; - if (buf_size < 12) + if (buf_size < 20) return AVERROR_INVALIDDATA; - frame_4cc = AV_RL32(buf); - if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20) + + if (buf_size < AV_RL32(buf + 4) + 8) { av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4)); + return AVERROR_INVALIDDATA; + } + + frame_4cc = AV_RL32(buf); if (frame_4cc == AV_RL32("cfrm")) { int free_index = -1; + int id, whole_size; const int data_size = buf_size - 20; - const int id = AV_RL32(buf + 12); - const int whole_size = AV_RL32(buf + 16); CFrameBuffer *cfrm; - if (data_size < 0 || whole_size < 0) { - av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); + if (f->version <= 1) { + av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version); return AVERROR_INVALIDDATA; } - if (f->version <= 1) { - av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version); + id = AV_RL32(buf + 12); + whole_size = AV_RL32(buf + 16); + + if (data_size < 0 || whole_size < 0) { + av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); return AVERROR_INVALIDDATA; } |