[FFmpeg-cvslog] r22210 - trunk/libavcodec/flashsv.c
fenrir
subversion
Thu Mar 4 20:10:45 CET 2010
Author: fenrir
Date: Thu Mar 4 20:10:44 2010
New Revision: 22210
Log:
Fixed buffer overread in flashsv decoder.
Modified:
trunk/libavcodec/flashsv.c
Modified: trunk/libavcodec/flashsv.c
==============================================================================
--- trunk/libavcodec/flashsv.c Thu Mar 4 16:08:54 2010 (r22209)
+++ trunk/libavcodec/flashsv.c Thu Mar 4 20:10:44 2010 (r22210)
@@ -113,6 +113,8 @@ static int flashsv_decode_frame(AVCodecC
/* no supplementary picture */
if (buf_size == 0)
return 0;
+ if (buf_size < 4)
+ return -1;
init_get_bits(&gb, buf, buf_size * 8);
@@ -181,6 +183,11 @@ static int flashsv_decode_frame(AVCodecC
/* get the size of the compressed zlib chunk */
int size = get_bits(&gb, 16);
+ if (8 * size > get_bits_left(&gb)) {
+ avctx->release_buffer(avctx, &s->frame);
+ s->frame.data[0] = NULL;
+ return -1;
+ }
if (size == 0) {
/* no change, don't do anything */
More information about the ffmpeg-cvslog
mailing list