[FFmpeg-cvslog] Check for overread in vqa video decoder.
Reimar Döffinger
git at videolan.org
Thu Jan 5 22:25:24 CET 2012
ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Thu Jan 5 18:25:40 2012 +0100| [427802324098eff19b307b486179b56d8b50b9a8] | committer: Reimar Döffinger
Check for overread in vqa video decoder.
This issue was discovered while decoding the FATE sample vqa/ws_snd.vqa.
For some unknown reason only audio decoding is tested by FATE for that file,
but not video.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=427802324098eff19b307b486179b56d8b50b9a8
---
libavcodec/vqavideo.c | 13 +++++++++----
1 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 917e04b..ae99c6d 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -322,10 +322,17 @@ static void vqa_decode_chunk(VqaContext *s)
int hibytes = s->decode_buffer_size / 2;
/* first, traverse through the frame and find the subchunks */
- while (index < s->size) {
+ while (index + CHUNK_PREAMBLE_SIZE <= s->size) {
+ unsigned next_index;
chunk_type = AV_RB32(&s->buf[index]);
chunk_size = AV_RB32(&s->buf[index + 4]);
+ byte_skip = chunk_size & 0x01;
+ next_index = index + CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip;
+ if (next_index > s->size) {
+ av_log(s->avctx, AV_LOG_ERROR, "Dropping incomplete chunk\n");
+ break;
+ }
switch (chunk_type) {
@@ -366,9 +373,7 @@ static void vqa_decode_chunk(VqaContext *s)
chunk_type);
break;
}
-
- byte_skip = chunk_size & 0x01;
- index += (CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip);
+ index = next_index;
}
/* next, deal with the palette */
More information about the ffmpeg-cvslog
mailing list