diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-11-14 02:50:59 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-11-14 02:51:38 +0100 |
commit | 39c5cd601ef09b1a540471960cb3a7e3ba17cb3c (patch) | |
tree | 175614b361fb2536919f8a438d804729636b3e9d /libavcodec | |
parent | b61658829b2f94126196b0accca4e4703fba2c1f (diff) | |
download | ffmpeg-39c5cd601ef09b1a540471960cb3a7e3ba17cb3c.tar.gz |
vmnc: check input size before reading chunk header, fix overread
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/vmnc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 62a1312de6..d3c86f1f97 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -332,6 +332,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac src += 2; chunks = AV_RB16(src); src += 2; while(chunks--) { + if(buf_size - (src - buf) < 12) { + av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n"); + return -1; + } dx = AV_RB16(src); src += 2; dy = AV_RB16(src); src += 2; w = AV_RB16(src); src += 2; |