[FFmpeg-cvslog] avcodec/interplayvideo: properly check if there is enough bytes left
Paul B Mahol
git at videolan.org
Tue Jun 27 16:49:11 EEST 2017
ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Tue Jun 27 15:46:08 2017 +0200| [feab761b73c37311a23a6cbbcee1ddf56439d5a4] | committer: Paul B Mahol
avcodec/interplayvideo: properly check if there is enough bytes left
Signed-off-by: Paul B Mahol <onemda at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=feab761b73c37311a23a6cbbcee1ddf56439d5a4
---
libavcodec/interplayvideo.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c
index 421de26cb1..2ac2f991a6 100644
--- a/libavcodec/interplayvideo.c
+++ b/libavcodec/interplayvideo.c
@@ -1233,6 +1233,10 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2;
s->decoding_map = buf + 8 + 14; /* 14 bits of op data */
video_data_size -= s->decoding_map_size + 14;
+
+ if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size)
+ return AVERROR_INVALIDDATA;
+
bytestream2_init(&s->stream_ptr, buf + 8 + s->decoding_map_size + 14, video_data_size);
break;
@@ -1253,6 +1257,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
}
+ if (buf_size < 8 + video_data_size + s->decoding_map_size + s->skip_map_size)
+ return AVERROR_INVALIDDATA;
+
bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
s->decoding_map = buf + 8 + video_data_size;
s->skip_map = buf + 8 + video_data_size + s->decoding_map_size;
@@ -1270,6 +1277,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
}
+ if (buf_size < 8 + video_data_size + s->decoding_map_size)
+ return AVERROR_INVALIDDATA;
+
bytestream2_init(&s->stream_ptr, buf + 8, video_data_size);
s->decoding_map = buf + 8 + video_data_size;
More information about the ffmpeg-cvslog
mailing list