[FFmpeg-cvslog] avcodec/hapdec: Check that there is sufficient input data

Michael Niedermayer git at videolan.org
Fri Jul 24 04:41:11 CEST 2015


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri Jul 24 03:25:49 2015 +0200| [5da90d7ec3a3f5eb68bf6bd0665636d8836a39f5] | committer: Michael Niedermayer

avcodec/hapdec: Check that there is sufficient input data

Fixes Ticket4729

Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5da90d7ec3a3f5eb68bf6bd0665636d8836a39f5
---

 libavcodec/hapdec.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c
index eb779e6..f4f6ef6 100644
--- a/libavcodec/hapdec.c
+++ b/libavcodec/hapdec.c
@@ -307,6 +307,7 @@ static int hap_decode(AVCodecContext *avctx, void *data,
     HapContext *ctx = avctx->priv_data;
     ThreadFrame tframe;
     int ret, i;
+    int tex_size;
 
     bytestream2_init(&ctx->gbc, avpkt->data, avpkt->size);
 
@@ -327,6 +328,7 @@ static int hap_decode(AVCodecContext *avctx, void *data,
     if (hap_can_use_tex_in_place(ctx)) {
         /* Only DXTC texture compression in a contiguous block */
         ctx->tex_data = ctx->gbc.buffer;
+        tex_size = bytestream2_get_bytes_left(&ctx->gbc);
     } else {
         /* Perform the second-stage decompression */
         ret = av_reallocp(&ctx->tex_buf, ctx->tex_size);
@@ -342,6 +344,14 @@ static int hap_decode(AVCodecContext *avctx, void *data,
         }
 
         ctx->tex_data = ctx->tex_buf;
+        tex_size = ctx->tex_size;
+    }
+
+    if (tex_size < (avctx->coded_width  / TEXTURE_BLOCK_W)
+                  *(avctx->coded_height / TEXTURE_BLOCK_H)
+                  *ctx->tex_rat) {
+        av_log(avctx, AV_LOG_ERROR, "Insufficient data\n");
+        return AVERROR_INVALIDDATA;
     }
 
     /* Use the decompress function on the texture, one block per thread */



More information about the ffmpeg-cvslog mailing list