From 0b28abf903cd1fd61ba4a06009cd2cb7cc40e6e0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2012 23:10:03 +0100 Subject: [PATCH] vble: check packet size. Fixes null pointer dereference Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/vble.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/vble.c b/libavcodec/vble.c index 448006a0c3..2c681782bd 100644 --- a/libavcodec/vble.c +++ b/libavcodec/vble.c @@ -127,6 +127,11 @@ static int vble_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (pic->data[0]) avctx->release_buffer(avctx, pic); + if (avpkt->size < 4 || avpkt->size - 4 > INT_MAX/8) { + av_log(avctx, AV_LOG_ERROR, "Invalid packet size\n"); + return AVERROR_INVALIDDATA; + } + /* Allocate buffer */ if (avctx->get_buffer(avctx, pic) < 0) { av_log(avctx, AV_LOG_ERROR, "Could not allocate buffer.\n");