[FFmpeg-cvslog] indeo5dec: Make sure we have had a valid gop header.

[Michael Niedermayer]

ffmpeg | branch: release/0.10 | Michael Niedermayer <michaelni at gmx.at> | Sat Mar 24 17:43:55 2012 +0100| [dc8371b2b12f4fc992623dd46fa47c81cbe21575] | committer: Reinhard Tartler

indeo5dec: Make sure we have had a valid gop header.

This prevents decoding happening on a half initialized context.

Fixes CVE-2012-2779

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton at khirnov.net>
(cherry picked from commit 891918431db628db17885ed947ee387b29826a64)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dc8371b2b12f4fc992623dd46fa47c81cbe21575
---

 libavcodec/indeo5.c     |    8 ++++++--
 libavcodec/ivi_common.c |    2 ++
 libavcodec/ivi_common.h |    2 ++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index f588dc0..60f0eee 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -304,8 +304,12 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx)
     ctx->frame_num = get_bits(&ctx->gb, 8);
 
     if (ctx->frame_type == FRAMETYPE_INTRA) {
-        if (decode_gop_header(ctx, avctx))
-            return -1;
+        ctx->gop_invalid = 1;
+        if (decode_gop_header(ctx, avctx)) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        ctx->gop_invalid = 0;
     }
 
     if (ctx->frame_type != FRAMETYPE_NULL) {
diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c
index 269afa4..b36b31d 100644
--- a/libavcodec/ivi_common.c
+++ b/libavcodec/ivi_common.c
@@ -782,6 +782,8 @@ int ff_ivi_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
                "Error while decoding picture header: %d\n", result);
         return -1;
     }
+    if (ctx->gop_invalid)
+        return AVERROR_INVALIDDATA;
 
     if (ctx->gop_flags & IVI5_IS_PROTECTED) {
         av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n");
diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h
index d52450a..07736f2 100644
--- a/libavcodec/ivi_common.h
+++ b/libavcodec/ivi_common.h
@@ -248,6 +248,8 @@ typedef struct IVI45DecContext {
     int             (*decode_mb_info)  (struct IVI45DecContext *ctx, IVIBandDesc *band, IVITile *tile, AVCodecContext *avctx);
     void            (*switch_buffers)  (struct IVI45DecContext *ctx);
     int             (*is_nonnull_frame)(struct IVI45DecContext *ctx);
+
+    int gop_invalid;
 } IVI45DecContext;
 
 /** compare some properties of two pictures */