Merge commit 'cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a' into release/0.10

* commit 'cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a': flashsv: Check diff_start diff_height values dsputil/pngdsp: fix signed/unsigned type in end comparison vqavideo: check chunk sizes before reading chunks avi: directly resync on DV in AVI read failure get_bits: change the failure condition in init_get_bits twinvq: Cope with gcc-4.8.2 miscompilation Conflicts: libavcodec/dsputil.c libavcodec/flashsv.c libavcodec/get_bits.h Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-03-10 18:06:35 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2014-03-10 18:06:35 +0100
commit: b7a750f67f68b41d5f3215906a5282b9cb7937d3 (patch)
tree: f08ed568b4c402148c9051f16e389652b85e3fac /libavcodec/vqavideo.c
parent: 41216ebb9e53bfa25b1bf39b66c15ab7d2902929 (diff)
parent: cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a (diff)
download: ffmpeg-b7a750f67f68b41d5f3215906a5282b9cb7937d3.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 682079dd9a..f3ad4f2fbe 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -534,6 +534,12 @@ static int vqa_decode_chunk(VqaContext *s)
         bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET);
         chunk_size = bytestream2_get_be32(&s->gb);
 
+        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+            av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (%u bytes)\n",
+                   chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
+
         /* accumulate partial codebook */
         bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
                                chunk_size);
@@ -557,6 +563,12 @@ static int vqa_decode_chunk(VqaContext *s)
         bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET);
         chunk_size = bytestream2_get_be32(&s->gb);
 
+        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+            av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (%u bytes)\n",
+                   chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
+
         /* accumulate partial codebook */
         bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
                                chunk_size);
author	Michael Niedermayer <michaelni@gmx.at>	2014-03-10 18:06:35 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2014-03-10 18:06:35 +0100
commit	b7a750f67f68b41d5f3215906a5282b9cb7937d3 (patch)
tree	f08ed568b4c402148c9051f16e389652b85e3fac /libavcodec/vqavideo.c
parent	41216ebb9e53bfa25b1bf39b66c15ab7d2902929 (diff)
parent	cb5d0ea0bec119ecbe327bd7d3834987ab42ec1a (diff)
download	ffmpeg-b7a750f67f68b41d5f3215906a5282b9cb7937d3.tar.gz