aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-09-13 16:43:27 +0200
committerMichael Niedermayer <michaelni@gmx.at>2014-09-13 17:10:13 +0200
commitb11d1889ef607a51dd93dae86e661f0b153b141c (patch)
tree936360dcf09b4a5c5b852fa80e55d9569d7e0e6d /libavcodec
parentd86cf4a91de2aa9e167a73b56fb59962230e3a32 (diff)
downloadffmpeg-b11d1889ef607a51dd93dae86e661f0b153b141c.tar.gz
avcodec/bmp_parser: fix parsing a single bmp which has a fsize < its header
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/bmp_parser.c31
1 files changed, 21 insertions, 10 deletions
diff --git a/libavcodec/bmp_parser.c b/libavcodec/bmp_parser.c
index eae8ae0a7f..25fdd27aaa 100644
--- a/libavcodec/bmp_parser.c
+++ b/libavcodec/bmp_parser.c
@@ -45,21 +45,32 @@ static int bmp_parse(AVCodecParserContext *s, AVCodecContext *avctx,
int i = 0;
*poutbuf_size = 0;
- if (buf_size == 0)
- return 0;
- if (!bpc->pc.frame_start_found) {
+ if (bpc->pc.frame_start_found <= 2+4+4) {
for (; i < buf_size; i++) {
state = (state << 8) | buf[i];
- if ((state >> 48) == (('B' << 8) | 'M')) {
- bpc->fsize = av_bswap32(state >> 16);
- bpc->pc.frame_start_found = 1;
- if (bpc->fsize > buf_size - i + 7)
- bpc->remaining_size = bpc->fsize - buf_size + i - 7;
+ if (bpc->pc.frame_start_found == 0) {
+ if ((state >> 48) == (('B' << 8) | 'M')) {
+ bpc->fsize = av_bswap32(state >> 16);
+ bpc->pc.frame_start_found = 1;
+ }
+ } else if (bpc->pc.frame_start_found == 2+4+4) {
+// unsigned hsize = av_bswap32(state>>32);
+ unsigned ihsize = av_bswap32(state);
+ if (ihsize < 12 || ihsize > 200) {
+ bpc->pc.frame_start_found = 0;
+ continue;
+ }
+ if (bpc->fsize <= ihsize + 14)
+ bpc->fsize = INT_MAX/2;
+ bpc->pc.frame_start_found++;
+ if (bpc->fsize > buf_size - i + 17)
+ bpc->remaining_size = bpc->fsize - buf_size + i - 17;
else
- next = bpc->fsize + i - 7;
+ next = bpc->fsize + i - 17;
break;
- }
+ } else if (bpc->pc.frame_start_found)
+ bpc->pc.frame_start_found++;
}
bpc->pc.state64 = state;
} else {