diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2014-09-13 16:43:27 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2014-09-13 17:10:13 +0200 |
| commit | b11d1889ef607a51dd93dae86e661f0b153b141c (patch) | |
| tree | 936360dcf09b4a5c5b852fa80e55d9569d7e0e6d /libavcodec/bmp_parser.c | |
| parent | d86cf4a91de2aa9e167a73b56fb59962230e3a32 (diff) | |
| download | ffmpeg-b11d1889ef607a51dd93dae86e661f0b153b141c.tar.gz | |
avcodec/bmp_parser: fix parsing a single bmp which has a fsize < its header
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/bmp_parser.c')
| -rw-r--r-- | libavcodec/bmp_parser.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c index eae8ae0a7f..25fdd27aaa 100644 --- a/libavcodec/bmp_parser.c +++ b/libavcodec/bmp_parser.c @@ -45,21 +45,32 @@ static int bmp_parse(AVCodecParserContext *s, AVCodecContext *avctx, int i = 0; *poutbuf_size = 0; - if (buf_size == 0) - return 0; - if (!bpc->pc.frame_start_found) { + if (bpc->pc.frame_start_found <= 2+4+4) { for (; i < buf_size; i++) { state = (state << 8) | buf[i]; - if ((state >> 48) == (('B' << 8) | 'M')) { - bpc->fsize = av_bswap32(state >> 16); - bpc->pc.frame_start_found = 1; - if (bpc->fsize > buf_size - i + 7) - bpc->remaining_size = bpc->fsize - buf_size + i - 7; + if (bpc->pc.frame_start_found == 0) { + if ((state >> 48) == (('B' << 8) | 'M')) { + bpc->fsize = av_bswap32(state >> 16); + bpc->pc.frame_start_found = 1; + } + } else if (bpc->pc.frame_start_found == 2+4+4) { +// unsigned hsize = av_bswap32(state>>32); + unsigned ihsize = av_bswap32(state); + if (ihsize < 12 || ihsize > 200) { + bpc->pc.frame_start_found = 0; + continue; + } + if (bpc->fsize <= ihsize + 14) + bpc->fsize = INT_MAX/2; + bpc->pc.frame_start_found++; + if (bpc->fsize > buf_size - i + 17) + bpc->remaining_size = bpc->fsize - buf_size + i - 17; else - next = bpc->fsize + i - 7; + next = bpc->fsize + i - 17; break; - } + } else if (bpc->pc.frame_start_found) + bpc->pc.frame_start_found++; } bpc->pc.state64 = state; } else { |