[FFmpeg-cvslog] tm2: Check remaining size before init_get_bits()
Michael Niedermayer
git at videolan.org
Tue Dec 20 17:18:47 CET 2011
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Dec 20 16:53:56 2011 +0100| [65f0f9183b99881af58e90e3ae2ad8b0181d52f1] | committer: Michael Niedermayer
tm2: Check remaining size before init_get_bits()
Fixes a null pointer dereference.
Fixes 2nd half of Ticket800
Bug found by: Oana Stratulat
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65f0f9183b99881af58e90e3ae2ad8b0181d52f1
---
libavcodec/truemotion2.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 1054a7e..95487d9 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -286,6 +286,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
buf += 4; cur += 4;
buf += 4; cur += 4; /* unused by decoder */
+ if(skip < cur)
+ return -1;
init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
if(tm2_build_huff_table(ctx, &codes) == -1)
return -1;
More information about the ffmpeg-cvslog
mailing list