[FFmpeg-cvslog] aasc: Check minimum buffer size
Luca Barbato
git at videolan.org
Mon Jul 29 11:50:28 CEST 2013
ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Sun Jul 7 12:31:19 2013 +0200| [62b1e3b1031e901105d78e831120de8e4c3e0013] | committer: Luca Barbato
aasc: Check minimum buffer size
Prevent some overreads.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=62b1e3b1031e901105d78e831120de8e4c3e0013
---
libavcodec/aasc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c
index bce27c0..60a4be8 100644
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -62,6 +62,9 @@ static int aasc_decode_frame(AVCodecContext *avctx,
AascContext *s = avctx->priv_data;
int compr, i, stride, ret;
+ if (buf_size < 4)
+ return AVERROR_INVALIDDATA;
+
if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) {
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
return ret;
@@ -73,6 +76,8 @@ static int aasc_decode_frame(AVCodecContext *avctx,
switch (compr) {
case 0:
stride = (avctx->width * 3 + 3) & ~3;
+ if (buf_size < stride * avctx->height)
+ return AVERROR_INVALIDDATA;
for (i = avctx->height - 1; i >= 0; i--) {
memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * 3);
buf += stride;
More information about the ffmpeg-cvslog
mailing list