RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-22 10:58:04 +00:00
Code Issues Projects Releases Wiki Activity

avcodec/zmbv: Check len before reading in decode_frame()

Browse Source 
Fixes out of array read
Fixes: asan_heap-oob_4d4eb0_3994_cov_3169972261_zmbv_15bit.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1f5c7781e6)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2015-02-25 12:29:10 +01:00
parent ba59d92128
commit ca663f79e9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/zmbv.c
View File

@ -410,11 +410,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
int hi_ver, lo_ver, ret; int hi_ver, lo_ver, ret;
/* parse header */ /* parse header */
if (len < 1)
return AVERROR_INVALIDDATA;
c->flags = buf[0]; c->flags = buf[0];
buf++; len--; buf++; len--;
if (c->flags & ZMBV_KEYFRAME) { if (c->flags & ZMBV_KEYFRAME) {
void *decode_intra = NULL; void *decode_intra = NULL;
c->decode_intra= NULL; c->decode_intra= NULL;
if (len < 6)
return AVERROR_INVALIDDATA;
hi_ver = buf[0]; hi_ver = buf[0];
lo_ver = buf[1]; lo_ver = buf[1];
c->comp = buf[2]; c->comp = buf[2];