4xm: Add a check in decode_i_frame to prevent buffer overreads

Fixes bugzilla #135

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This commit is contained in:
Shitiz Garg 2011-12-14 18:29:21 +05:30 committed by Janne Grunau
parent 01a01bf8bd
commit 355d917c0b

View File

@ -653,9 +653,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
uint16_t *dst= (uint16_t*)f->current_picture.data[0]; uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1; const int stride= f->current_picture.linesize[0]>>1;
const unsigned int bitstream_size= AV_RL32(buf); const unsigned int bitstream_size= AV_RL32(buf);
const int token_count av_unused = AV_RL32(buf + bitstream_size + 8); int token_count av_unused;
unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); unsigned int prestream_size;
const uint8_t *prestream= buf + bitstream_size + 12; const uint8_t *prestream;
if (length < bitstream_size + 12) {
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
return AVERROR_INVALIDDATA;
}
token_count = AV_RL32(buf + bitstream_size + 8);
prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
prestream = buf + bitstream_size + 12;
if(prestream_size + bitstream_size + 12 != length if(prestream_size + bitstream_size + 12 != length
|| bitstream_size > (1<<26) || bitstream_size > (1<<26)