diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2013-06-07 16:18:22 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-06-12 14:45:46 +0200 |
| commit | be373cb50d3c411366fec7eef2eb3681abe48f96 (patch) | |
| tree | 8c0a7fdf77f5f292bc0c04edd49a8ef1ee40e3a0 /libavcodec | |
| parent | de2e5777e225e75813daf2373c95e223651fd89a (diff) | |
| download | ffmpeg-be373cb50d3c411366fec7eef2eb3681abe48f96.tar.gz | |
4xm: do not overread the prestream buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/4xm.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 2b8155cc8a..a70be14bdf 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -579,7 +579,8 @@ static int decode_i_mb(FourXContext *f) } static const uint8_t *read_huffman_tables(FourXContext *f, - const uint8_t * const buf) + const uint8_t * const buf, + int len) { int frequency[512] = { 0 }; uint8_t flag[512]; @@ -597,12 +598,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f, for (;;) { int i; + len -= end - start + 1; + + if (end < start || len < 0) + return NULL; + for (i = start; i <= end; i++) frequency[i] = *ptr++; start = *ptr++; if (start == 0) break; + if (--len < 0) + return NULL; + end = *ptr++; } frequency[256] = 1; @@ -744,7 +753,7 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i return AVERROR_INVALIDDATA; } - prestream = read_huffman_tables(f, prestream); + prestream = read_huffman_tables(f, prestream, prestream_size); if (!prestream) { av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n"); return AVERROR_INVALIDDATA; |