[FFmpeg-cvslog] indeo3: check per-plane data buffer against input buffer bounds.

Aneesh Dogra git at videolan.org
Wed Nov 30 02:40:23 CET 2011


ffmpeg | branch: master | Aneesh Dogra <lionaneesh at gmail.com> | Tue Nov 29 23:31:35 2011 +0530| [464ccb01447b91717cf580b870e636514701ce4f] | committer: Alex Converse

indeo3: check per-plane data buffer against input buffer bounds.

Fixes : http://bugzilla.libav.org/show_bug.cgi?id=102

Signed-off-by: Alex Converse <alex.converse at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=464ccb01447b91717cf580b870e636514701ce4f
---

 libavcodec/indeo3.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 4f3cb36..46efbd8 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -804,8 +804,10 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
     num_vectors = bytestream_get_le32(&data);
     ctx->mc_vectors  = num_vectors ? data : 0;
 
+    if (num_vectors * 2 >= data_size)
+        return AVERROR_INVALIDDATA;
     /* init the bitreader */
-    init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3);
+    init_get_bits(&ctx->gb, &data[num_vectors * 2], (data_size - num_vectors * 2) << 3);
     ctx->skip_bits   = 0;
     ctx->need_resync = 0;
 



More information about the ffmpeg-cvslog mailing list