[FFmpeg-devel] [libav-devel] [PATCH 5/6] Fixed segfaults on corruped smaker streams in the decoder.

Tue Sep 13 00:12:40 CEST 2011

On Mon, Sep 12, 2011 at 11:43:45PM +0200, Michael Niedermayer wrote:
> On Mon, Sep 12, 2011 at 11:28:44PM +0200, Reimar Döffinger wrote:
> > On Sun, Sep 11, 2011 at 07:56:46PM +0200, Laurent Aimar wrote:
> > > @@ -653,6 +659,8 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
> > >      } else { //8-bit data
> > >          for(i = stereo; i >= 0; i--)
> > >              pred[i] = get_bits(&gb, 8);
> > > +        if (stereo + unp_size > data_size)
> > > +            return -1;
> > 
> > This can overflow.
> 
> how ?
> there is
>     if (unp_size & 0xC0000000 || unp_size > *data_size) {
>         av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
>         return -1;
>     }

I failed to notice that code.