[FFmpeg-cvslog] rmdec: Limit videobufsize to remaining amount of data
Michael Niedermayer
git at videolan.org
Mon Jan 7 21:42:39 CET 2013
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Jan 7 21:31:40 2013 +0100| [0780fe27404c24d58bf9b2a3b928d885772bc702] | committer: Michael Niedermayer
rmdec: Limit videobufsize to remaining amount of data
Fixes excessive memory allocation
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0780fe27404c24d58bf9b2a3b928d885772bc702
---
libavformat/rmdec.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 3b476ff..ee1e0ff 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -25,6 +25,7 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/dict.h"
#include "avformat.h"
+#include "avio_internal.h"
#include "internal.h"
#include "rmsipr.h"
#include "rm.h"
@@ -696,6 +697,10 @@ static int rm_assemble_video_frame(AVFormatContext *s, AVIOContext *pb,
*pseq = seq;
if((seq & 0x7F) == 1 || vst->curpic_num != pic_num){
+ if (len2 > ffio_limit(pb, len2)) {
+ av_log(s, AV_LOG_ERROR, "Impossibly sized packet\n");
+ return AVERROR_INVALIDDATA;
+ }
vst->slices = ((hdr & 0x3F) << 1) + 1;
vst->videobufsize = len2 + 8*vst->slices + 1;
av_free_packet(&vst->pkt); //FIXME this should be output.
More information about the ffmpeg-cvslog
mailing list