[FFmpeg-cvslog] aasc: Check minimum buffer size

Luca Barbato git at videolan.org
Mon Jul 29 11:50:28 CEST 2013


ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Sun Jul  7 12:31:19 2013 +0200| [62b1e3b1031e901105d78e831120de8e4c3e0013] | committer: Luca Barbato

aasc: Check minimum buffer size

Prevent some overreads.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=62b1e3b1031e901105d78e831120de8e4c3e0013
---

 libavcodec/aasc.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c
index bce27c0..60a4be8 100644
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -62,6 +62,9 @@ static int aasc_decode_frame(AVCodecContext *avctx,
     AascContext *s     = avctx->priv_data;
     int compr, i, stride, ret;
 
+    if (buf_size < 4)
+        return AVERROR_INVALIDDATA;
+
     if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
         return ret;
@@ -73,6 +76,8 @@ static int aasc_decode_frame(AVCodecContext *avctx,
     switch (compr) {
     case 0:
         stride = (avctx->width * 3 + 3) & ~3;
+        if (buf_size < stride * avctx->height)
+            return AVERROR_INVALIDDATA;
         for (i = avctx->height - 1; i >= 0; i--) {
             memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * 3);
             buf += stride;



More information about the ffmpeg-cvslog mailing list