[FFmpeg-devel] [PATCH] roqvideodec: Improve checking of input buffer bounds.

Reimar Döffinger Reimar.Doeffinger at gmx.de
Sat Aug 20 13:14:03 CEST 2011


Fixes trac issue #408.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
---
 libavcodec/roqvideodec.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
index 4af7ede..bbbb605 100644
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -71,9 +71,14 @@ static void roqvideo_decode_frame(RoqContext *ri)
     }
 
     bpos = xpos = ypos = 0;
+    chunk_size = FFMIN(chunk_size, buf_end - buf);
     while(bpos < chunk_size) {
         for (yp = ypos; yp < ypos + 16; yp += 8)
             for (xp = xpos; xp < xpos + 16; xp += 8) {
+                if (bpos >= chunk_size) {
+                    av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
+                    return;
+                }
                 if (vqflg_pos < 0) {
                     vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8);
                     vqflg_pos = 7;
@@ -103,6 +108,10 @@ static void roqvideo_decode_frame(RoqContext *ri)
                         if(k & 0x01) x += 4;
                         if(k & 0x02) y += 4;
 
+                        if (bpos >= chunk_size) {
+                            av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
+                            return;
+                        }
                         if (vqflg_pos < 0) {
                             vqflg = buf[bpos++];
                             vqflg |= (buf[bpos++] << 8);
-- 
1.7.5.4



More information about the ffmpeg-devel mailing list