mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2024-12-29 10:52:20 +00:00
4xm: Add a check in decode_i_frame to prevent buffer overreads
Fixes bugzilla #135 Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This commit is contained in:
parent
01a01bf8bd
commit
355d917c0b
@ -653,9 +653,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
|
|||||||
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
|
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
|
||||||
const int stride= f->current_picture.linesize[0]>>1;
|
const int stride= f->current_picture.linesize[0]>>1;
|
||||||
const unsigned int bitstream_size= AV_RL32(buf);
|
const unsigned int bitstream_size= AV_RL32(buf);
|
||||||
const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
|
int token_count av_unused;
|
||||||
unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
|
unsigned int prestream_size;
|
||||||
const uint8_t *prestream= buf + bitstream_size + 12;
|
const uint8_t *prestream;
|
||||||
|
|
||||||
|
if (length < bitstream_size + 12) {
|
||||||
|
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
}
|
||||||
|
|
||||||
|
token_count = AV_RL32(buf + bitstream_size + 8);
|
||||||
|
prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
|
||||||
|
prestream = buf + bitstream_size + 12;
|
||||||
|
|
||||||
if(prestream_size + bitstream_size + 12 != length
|
if(prestream_size + bitstream_size + 12 != length
|
||||||
|| bitstream_size > (1<<26)
|
|| bitstream_size > (1<<26)
|
||||||
|
Loading…
Reference in New Issue
Block a user