[FFmpeg-cvslog] r21759 - in branches/0.5: . libavcodec/mlpdec.c
siretart
subversion
Thu Feb 11 22:03:30 CET 2010
Author: siretart
Date: Thu Feb 11 22:03:30 2010
New Revision: 21759
Log:
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.
backport r21426 by reimar
Modified:
branches/0.5/ (props changed)
branches/0.5/libavcodec/mlpdec.c
Modified: branches/0.5/libavcodec/mlpdec.c
==============================================================================
--- branches/0.5/libavcodec/mlpdec.c Thu Feb 11 21:57:49 2010 (r21758)
+++ branches/0.5/libavcodec/mlpdec.c Thu Feb 11 22:03:30 2010 (r21759)
@@ -878,7 +878,7 @@ static int read_access_unit(AVCodecConte
length = (AV_RB16(buf) & 0xfff) * 2;
- if (length > buf_size)
+ if (length < 4 || length > buf_size)
return -1;
init_get_bits(&gb, (buf + 4), (length - 4) * 8);
More information about the ffmpeg-cvslog
mailing list