[FFmpeg-cvslog] 4xm: check bitstream_size boundary before using it
Luca Barbato
git at videolan.org
Mon Jul 29 04:01:57 CEST 2013
ffmpeg | branch: release/0.10 | Luca Barbato <lu_zero at gentoo.org> | Mon Jun 10 16:37:43 2013 +0200| [6a4f1e784e39c82194a485995906d9917d4619b2] | committer: Reinhard Tartler
4xm: check bitstream_size boundary before using it
Prevent buffer overread.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 59d7bb99b6a963b7e11c637228b2203adf535eee)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
Conflicts:
libavcodec/4xm.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6a4f1e784e39c82194a485995906d9917d4619b2
---
libavcodec/4xm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 842e787..e9f08c3 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -663,6 +663,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
unsigned int prestream_size;
const uint8_t *prestream;
+ if (bitstream_size > (1 << 26))
+ return AVERROR_INVALIDDATA;
+
if (length < bitstream_size + 12) {
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
return AVERROR_INVALIDDATA;
@@ -673,7 +676,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
prestream = buf + bitstream_size + 12;
if(prestream_size + bitstream_size + 12 != length
- || bitstream_size > (1<<26)
|| prestream_size > (1<<26)){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
return -1;
More information about the ffmpeg-cvslog
mailing list