[FFmpeg-cvslog] bmv: add stricter checks for invalid decoded length

Kostya Shishkov git at videolan.org
Mon Jun 4 00:38:43 CEST 2012


ffmpeg | branch: master | Kostya Shishkov <kostya.shishkov at gmail.com> | Fri Jun  1 20:51:57 2012 +0200| [96fadfb1588b1bf4968af371693e6484ce3050f8] | committer: Kostya Shishkov

bmv: add stricter checks for invalid decoded length

This makes decoder handle random data passed as BMV frame data.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96fadfb1588b1bf4968af371693e6484ce3050f8
---

 libavcodec/bmv.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/bmv.c b/libavcodec/bmv.c
index 49346a4..4d49643 100644
--- a/libavcodec/bmv.c
+++ b/libavcodec/bmv.c
@@ -52,7 +52,7 @@ typedef struct BMVDecContext {
 
 static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, int frame_off)
 {
-    int val, saved_val = 0;
+    unsigned val, saved_val = 0;
     int tmplen = src_len;
     const uint8_t *src, *source_end = source + src_len;
     uint8_t *frame_end = frame + SCREEN_WIDE * SCREEN_HIGH;
@@ -140,7 +140,9 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
         case 1:
             if (forward) {
                 if (dst - frame + SCREEN_WIDE < frame_off ||
-                        frame_end - dst < frame_off + len)
+                        dst - frame + SCREEN_WIDE + frame_off < 0 ||
+                        frame_end - dst < frame_off + len ||
+                        frame_end - dst < len)
                     return -1;
                 for (i = 0; i < len; i++)
                     dst[i] = dst[frame_off + i];
@@ -148,7 +150,9 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
             } else {
                 dst -= len;
                 if (dst - frame + SCREEN_WIDE < frame_off ||
-                        frame_end - dst < frame_off + len)
+                        dst - frame + SCREEN_WIDE + frame_off < 0 ||
+                        frame_end - dst < frame_off + len ||
+                        frame_end - dst < len)
                     return -1;
                 for (i = len - 1; i >= 0; i--)
                     dst[i] = dst[frame_off + i];



More information about the ffmpeg-cvslog mailing list