aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorLuca Barbato <lu_zero@gentoo.org>2013-06-07 16:16:46 +0200
committerLuca Barbato <lu_zero@gentoo.org>2013-09-29 22:37:03 +0200
commitcd9b0bb07a66d3299bd62922e9dfa742219abe79 (patch)
tree3dfde1641798558284c3cedb0f3c9bf82fb955b8 /libavcodec
parent53c76b68036b4ca81b1342a4c51125c917c26e75 (diff)
downloadffmpeg-cd9b0bb07a66d3299bd62922e9dfa742219abe79.tar.gz
4xm: validate the buffer size before parsing it
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit de2e5777e225e75813daf2373c95e223651fd89a) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/4xm.c24
1 files changed, 18 insertions, 6 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 77d15d5803..52c16cfd77 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -382,6 +382,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;
if(f->version>1){
+ if (length < 20)
+ return AVERROR_INVALIDDATA;
extra=20;
bitstream_size= AV_RL32(buf+8);
wordstream_size= AV_RL32(buf+12);
@@ -734,18 +736,28 @@ static int decode_frame(AVCodecContext *avctx,
AVFrame *p, temp;
int i, frame_4cc, frame_size;
- frame_4cc= AV_RL32(buf);
- if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
- av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
+ if (buf_size < 20)
+ return AVERROR_INVALIDDATA;
+
+ if (buf_size < AV_RL32(buf + 4) + 8) {
+ av_log(f->avctx, AV_LOG_ERROR,
+ "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
}
+ frame_4cc = AV_RL32(buf);
+
if(frame_4cc == AV_RL32("cfrm")){
int free_index=-1;
- const int data_size= buf_size - 20;
- const int id= AV_RL32(buf+12);
- const int whole_size= AV_RL32(buf+16);
+ int id, whole_size;
+ const int data_size = buf_size - 20;
CFrameBuffer *cfrm;
+ if (data_size < 0)
+ return AVERROR_INVALIDDATA;
+
+ id = AV_RL32(buf + 12);
+ whole_size = AV_RL32(buf + 16);
+
for(i=0; i<CFRAME_BUFFER_COUNT; i++){
if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-02 23:50:14 +0000