indeo5dec: Make sure we have had a valid gop header.

This prevents decoding happening on a half initialized context. Fixes CVE-2012-2779 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 891918431db628db17885ed947ee387b29826a64) Conflicts: libavcodec/ivi_common.c libavcodec/ivi_common.h
2012-03-24 17:43:55 +01:00 · 2012-03-24 17:43:55 +01:00 · 03ddc26066
commit 03ddc26066
parent 801eff785a
1 changed files with 10 additions and 2 deletions
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@ -76,6 +76,8 @@ typedef struct {
    int             is_scalable;
    uint32_t        lock_word;
    IVIPicConfig    pic_conf;
+
+    int gop_invalid;
 } IVI5DecContext;


@ -335,8 +337,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx)
    ctx->frame_num = get_bits(&ctx->gb, 8);

    if (ctx->frame_type == FRAMETYPE_INTRA) {
-        if (decode_gop_header(ctx, avctx))
-            return -1;
+        ctx->gop_invalid = 1;
+        if (decode_gop_header(ctx, avctx)) {
+            av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n");
+            return AVERROR_INVALIDDATA;
+        }
+        ctx->gop_invalid = 0;
    }

    if (ctx->frame_type != FRAMETYPE_NULL) {
@ -759,6 +765,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
               "Error while decoding picture header: %d\n", result);
        return -1;
    }
+    if (ctx->gop_invalid)
+        return AVERROR_INVALIDDATA;

    if (ctx->gop_flags & IVI5_IS_PROTECTED) {
        av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n");