[FFmpeg-cvslog] flicvideo: fix crash on flic files with invalid frame size
Stefano Sabatini
git at videolan.org
Sat Apr 23 12:17:17 CEST 2011
ffmpeg | branch: master | Stefano Sabatini <stefano.sabatini-lala at poste.it> | Sat Apr 23 00:08:28 2011 +0200| [efd6cbc5ddac2d4df7008733bfef1d6d6809cc3c] | committer: Stefano Sabatini
flicvideo: fix crash on flic files with invalid frame size
Add a check in flic_decode_frame_8BPP(), in case chunk_size is >
frame_size issue a warning and resize chunk_size to frame_size, in
order to avoid out-of-buffer reads.
Fix roundup issue #2520, trac issue #69.
Signed-off-by: Stefano Sabatini <stefano.sabatini-lala at poste.it>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=efd6cbc5ddac2d4df7008733bfef1d6d6809cc3c
---
libavcodec/flicvideo.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index 126c4e1..7d2fd87 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -181,6 +181,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
/* iterate through the chunks */
while ((frame_size > 0) && (num_chunks > 0)) {
chunk_size = AV_RL32(&buf[stream_ptr]);
+ if (chunk_size > frame_size) {
+ av_log(avctx, AV_LOG_WARNING,
+ "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
+ chunk_size = frame_size;
+ }
stream_ptr += 4;
chunk_type = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
More information about the ffmpeg-cvslog
mailing list