truemotion1: check the header size

Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602) (cherry picked from commit 76b40a9bf93e387d98aa7dc02ec7a8d13f51722f)
author: Anton Khirnov <anton@khirnov.net> 2013-11-28 10:54:35 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2014-02-28 23:07:40 -0500
commit: de0e442e9d6754ae1ad56a8372f45f6aa5e51012 (patch)
tree: 9e7480b3f800682974717e177151a1c3c93faf20 /libavcodec/truemotion1.c
parent: 43aa7eb38efc33f193f51d1d239dbfe12663e537 (diff)
download: ffmpeg-de0e442e9d6754ae1ad56a8372f45f6aa5e51012.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index fcf6004c51..65a45d82bf 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -320,6 +320,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
         return -1;
     }
 
+    if (header.header_size + 1 > s->size) {
+        av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* unscramble the header bytes with a XOR operation */
     memset(header_buffer, 0, 128);
     for (i = 1; i < header.header_size; i++)
author	Anton Khirnov <anton@khirnov.net>	2013-11-28 10:54:35 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2014-02-28 23:07:40 -0500
commit	de0e442e9d6754ae1ad56a8372f45f6aa5e51012 (patch)
tree	9e7480b3f800682974717e177151a1c3c93faf20 /libavcodec/truemotion1.c
parent	43aa7eb38efc33f193f51d1d239dbfe12663e537 (diff)
download	ffmpeg-de0e442e9d6754ae1ad56a8372f45f6aa5e51012.tar.gz