[FFmpeg-cvslog] avcodec/interplayvideo: properly check if there is enough bytes left

Paul B Mahol git at videolan.org
Tue Jun 27 16:49:11 EEST 2017


ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Tue Jun 27 15:46:08 2017 +0200| [feab761b73c37311a23a6cbbcee1ddf56439d5a4] | committer: Paul B Mahol

avcodec/interplayvideo: properly check if there is enough bytes left

Signed-off-by: Paul B Mahol <onemda at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=feab761b73c37311a23a6cbbcee1ddf56439d5a4
---

 libavcodec/interplayvideo.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
index 421de26cb1..2ac2f991a6 100644
--- a/libavcodec/interplayvideo.c
+++ b/libavcodec/interplayvideo.c
@@ -1233,6 +1233,10 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
             s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2;
             s->decoding_map = buf + 8 + 14; /* 14 bits of op data */
             video_data_size -= s->decoding_map_size + 14;
+
+            if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8 + s->decoding_map_size + 14, video_data_size);
 
             break;
@@ -1253,6 +1257,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
                 return AVERROR_INVALIDDATA;
             }
 
+            if (buf_size < 8 + video_data_size + s->decoding_map_size + s->skip_map_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
             s->decoding_map = buf + 8 + video_data_size;
             s->skip_map = buf + 8 + video_data_size + s->decoding_map_size;
@@ -1270,6 +1277,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
                 return AVERROR_INVALIDDATA;
             }
 
+            if (buf_size < 8 + video_data_size + s->decoding_map_size)
+                return AVERROR_INVALIDDATA;
+
             bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
             s->decoding_map = buf + 8 + video_data_size;
 



More information about the ffmpeg-cvslog mailing list