[FFmpeg-cvslog] fraps: fix version 0/1 input data size check.
Michael Niedermayer
git at videolan.org
Fri Jun 1 23:49:40 CEST 2012
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Fri Jun 1 23:21:03 2012 +0200| [0bae6661cd171abf55cfa4b8970b08c470d65dee] | committer: Michael Niedermayer
fraps: fix version 0/1 input data size check.
Fixes array overread.
Fixes Ticket1371
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0bae6661cd171abf55cfa4b8970b08c470d65dee
---
libavcodec/fraps.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
index 30c23d8..1cf4062 100644
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -161,17 +161,17 @@ static int decode_frame(AVCodecContext *avctx,
unsigned needed_size = avctx->width*avctx->height*3;
if (version == 0) needed_size /= 2;
needed_size += header_size;
- if (buf_size != needed_size && buf_size != header_size) {
- av_log(avctx, AV_LOG_ERROR,
- "Invalid frame length %d (should be %d)\n",
- buf_size, needed_size);
- return -1;
- }
/* bit 31 means same as previous pic */
if (header & (1U<<31)) {
*data_size = 0;
return buf_size;
}
+ if (buf_size != needed_size) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Invalid frame length %d (should be %d)\n",
+ buf_size, needed_size);
+ return -1;
+ }
} else {
/* skip frame */
if (buf_size == 8) {
More information about the ffmpeg-cvslog
mailing list