diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2009-04-09 15:17:03 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2009-04-09 15:17:03 +0000 |
commit | f0812be883221eded78011893e6ad50af2f6b129 (patch) | |
tree | a45a18fe56d7a85301cf5317593939dd451d058c /libavcodec | |
parent | 985fdd534f29e5c0e05e47216bb2ae9b8c353895 (diff) | |
download | ffmpeg-f0812be883221eded78011893e6ad50af2f6b129.tar.gz |
Fix crash when max_ref_frames was out of range.
This might have been exploitable.
Fixes first crash of issue840.
Originally committed as revision 18388 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/snow.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/snow.c b/libavcodec/snow.c index a8de940949..921010eaf0 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -3554,7 +3554,7 @@ static void decode_qlogs(SnowContext *s){ } static int decode_header(SnowContext *s){ - int plane_index; + int plane_index, tmp; uint8_t kstate[32]; memset(kstate, MID_STATE, sizeof(kstate)); @@ -3583,7 +3583,12 @@ static int decode_header(SnowContext *s){ s->chroma_v_shift= get_symbol(&s->c, s->header_state, 0); s->spatial_scalability= get_rac(&s->c, s->header_state); // s->rate_scalability= get_rac(&s->c, s->header_state); - s->max_ref_frames= get_symbol(&s->c, s->header_state, 0)+1; + tmp= get_symbol(&s->c, s->header_state, 0)+1; + if(tmp < 1 || tmp > MAX_REF_FRAMES){ + av_log(s->avctx, AV_LOG_ERROR, "reference frame count is %d\n", tmp); + return -1; + } + s->max_ref_frames= tmp; decode_qlogs(s); } @@ -3649,6 +3654,7 @@ static av_cold int common_init(AVCodecContext *avctx){ int i, j; s->avctx= avctx; + s->max_ref_frames=1; //just make sure its not an invalid value in case of no initial keyframe dsputil_init(&s->dsp, avctx); |