From 0b882b4009c9fbe24020c2fe83b21ee43d0784ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sun, 24 Jan 2010 18:07:29 +0000 Subject: [PATCH] Fix crash in MLP decoder due to integer overflow. Probably only DoS, init_get_bits sets buffer to NULL, thus causing a NULL-dereference directly after. Originally committed as revision 21426 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 8060ebe197..bfde83c09f 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -959,7 +959,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size, length = (AV_RB16(buf) & 0xfff) * 2; - if (length > buf_size) + if (length < 4 || length > buf_size) return -1; init_get_bits(&gb, (buf + 4), (length - 4) * 8);