[FFmpeg-cvslog] r26251 - trunk/libavcodec/bfi.c
cehoyos
subversion
Fri Jan 7 00:14:27 CET 2011
Author: cehoyos
Date: Fri Jan 7 00:14:27 2011
New Revision: 26251
Log:
Prevent a crash by sanity checking buffer reads.
Patch by Daniel Kang, daniel.d.kang at gmail
Modified:
trunk/libavcodec/bfi.c
Modified: trunk/libavcodec/bfi.c
==============================================================================
--- trunk/libavcodec/bfi.c Thu Jan 6 23:34:12 2011 (r26250)
+++ trunk/libavcodec/bfi.c Fri Jan 7 00:14:27 2011 (r26251)
@@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCod
static int bfi_decode_frame(AVCodecContext * avctx, void *data,
int *data_size, AVPacket *avpkt)
{
- const uint8_t *buf = avpkt->data;
+ const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size;
BFIContext *bfi = avctx->priv_data;
uint8_t *dst = bfi->dst;
@@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecConte
unsigned int code = byte >> 6;
unsigned int length = byte & ~0xC0;
+ if (buf >= buf_end) {
+ av_log(avctx, AV_LOG_ERROR, "Input resolution larger than actual frame.\n");
+ return -1;
+ }
+
/* Get length and offset(if required) */
if (length == 0) {
if (code == 1) {
@@ -121,6 +126,10 @@ static int bfi_decode_frame(AVCodecConte
switch (code) {
case 0: //Normal Chain
+ if (length >= buf_end - buf) {
+ av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n");
+ return -1;
+ }
bytestream_get_buffer(&buf, dst, length);
dst += length;
break;
More information about the ffmpeg-cvslog
mailing list