[FFmpeg-cvslog] proresdec: check input size before reading qmats, prevent overreading.

Michael Niedermayer git at videolan.org
Sun Nov 11 21:30:53 CET 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sun Nov 11 20:51:30 2012 +0100| [c871244306f92fecaaed8a97f47ba54d46eb0cd5] | committer: Michael Niedermayer

proresdec: check input size before reading qmats, prevent overreading.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c871244306f92fecaaed8a97f47ba54d46eb0cd5
---

 libavcodec/proresdec2.c |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/proresdec2.c b/libavcodec/proresdec2.c
index d14b535..e643c87 100644
--- a/libavcodec/proresdec2.c
+++ b/libavcodec/proresdec2.c
@@ -133,6 +133,10 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
     av_dlog(avctx, "flags %x\n", flags);
 
     if (flags & 2) {
+        if(buf + data_size - ptr < 64) {
+            av_log(avctx, AV_LOG_ERROR, "Header truncated\n");
+            return -1;
+        }
         permute(ctx->qmat_luma, ctx->prodsp.idct_permutation, ptr);
         ptr += 64;
     } else {
@@ -140,6 +144,10 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
     }
 
     if (flags & 1) {
+        if(buf + data_size - ptr < 64) {
+            av_log(avctx, AV_LOG_ERROR, "Header truncated\n");
+            return -1;
+        }
         permute(ctx->qmat_chroma, ctx->prodsp.idct_permutation, ptr);
     } else {
         memset(ctx->qmat_chroma, 4, 64);



More information about the ffmpeg-cvslog mailing list