aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2007-05-06 15:25:04 +0000
committerMichael Niedermayer <michaelni@gmx.at>2007-05-06 15:25:04 +0000
commitbeac8235b92cdd322266e1709fbfe6f9e945e031 (patch)
treea629f0ac88219f829a2f1e00d60a435f04abd37b /libavcodec
parentd9a3c855fb3668150b9dbf6a7a32c0b0117a8111 (diff)
downloadffmpeg-beac8235b92cdd322266e1709fbfe6f9e945e031.tar.gz
fix possibly exploitable stack overflow with num_sprite_warping_points (found by reimar)
Originally committed as revision 8919 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/h263.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/h263.c b/libavcodec/h263.c
index 4db89e9700..e2ac5fc4fd 100644
--- a/libavcodec/h263.c
+++ b/libavcodec/h263.c
@@ -5665,6 +5665,11 @@ static int decode_vol_header(MpegEncContext *s, GetBitContext *gb){
skip_bits1(gb); /* marker */
}
s->num_sprite_warping_points= get_bits(gb, 6);
+ if(s->num_sprite_warping_points > 3){
+ av_log(s->avctx, AV_LOG_ERROR, "%d sprite_warping_points\n", s->num_sprite_warping_points);
+ s->num_sprite_warping_points= 0;
+ return -1;
+ }
s->sprite_warping_accuracy = get_bits(gb, 2);
s->sprite_brightness_change= get_bits1(gb);
if(s->vol_sprite_usage==STATIC_SPRITE)