[FFmpeg-cvslog] r21426 - trunk/libavcodec/mlpdec.c
reimar
subversion
Sun Jan 24 19:07:29 CET 2010
Author: reimar
Date: Sun Jan 24 19:07:29 2010
New Revision: 21426
Log:
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.
Modified:
trunk/libavcodec/mlpdec.c
Modified: trunk/libavcodec/mlpdec.c
==============================================================================
--- trunk/libavcodec/mlpdec.c Sun Jan 24 19:05:02 2010 (r21425)
+++ trunk/libavcodec/mlpdec.c Sun Jan 24 19:07:29 2010 (r21426)
@@ -959,7 +959,7 @@ static int read_access_unit(AVCodecConte
length = (AV_RB16(buf) & 0xfff) * 2;
- if (length > buf_size)
+ if (length < 4 || length > buf_size)
return -1;
init_get_bits(&gb, (buf + 4), (length - 4) * 8);
More information about the ffmpeg-cvslog
mailing list