[FFmpeg-cvslog] 4xm: do not overread the prestream buffer
Luca Barbato
git at videolan.org
Tue Aug 27 15:59:05 CEST 2013
ffmpeg | branch: release/1.1 | Luca Barbato <lu_zero at gentoo.org> | Fri Jun 7 16:18:22 2013 +0200| [d33b0f72245da71f7121b08116ef8732731f5adf] | committer: Luca Barbato
4xm: do not overread the prestream buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit be373cb50d3c411366fec7eef2eb3681abe48f96)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d33b0f72245da71f7121b08116ef8732731f5adf
---
libavcodec/4xm.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 493e2ad..5602f62 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -576,7 +576,8 @@ static int decode_i_mb(FourXContext *f)
}
static const uint8_t *read_huffman_tables(FourXContext *f,
- const uint8_t * const buf)
+ const uint8_t * const buf,
+ int len)
{
int frequency[512] = { 0 };
uint8_t flag[512];
@@ -594,12 +595,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f,
for (;;) {
int i;
+ len -= end - start + 1;
+
+ if (end < start || len < 0)
+ return NULL;
+
for (i = start; i <= end; i++)
frequency[i] = *ptr++;
start = *ptr++;
if (start == 0)
break;
+ if (--len < 0)
+ return NULL;
+
end = *ptr++;
}
frequency[256] = 1;
@@ -741,7 +750,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length)
return -1;
}
- prestream = read_huffman_tables(f, prestream);
+ prestream = read_huffman_tables(f, prestream, prestream_size);
if (!prestream) {
av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n");
return AVERROR_INVALIDDATA;
More information about the ffmpeg-cvslog
mailing list