highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed buffer overread in flashsv decoder.

Browse Source 
Originally committed as revision 22210 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Laurent Aimar
2010-03-04 19:10:44 +00:00
parent 1379b58482
commit b8fb21e902
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/flashsv.c
View File

@@ -113,6 +113,8 @@ static int flashsv_decode_frame(AVCodecContext *avctx,
/* no supplementary picture */ /* no supplementary picture */
if (buf_size == 0) if (buf_size == 0)
return 0; return 0;
if (buf_size < 4)
return -1;
init_get_bits(&gb, buf, buf_size * 8); init_get_bits(&gb, buf, buf_size * 8);
@@ -181,6 +183,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx,
/* get the size of the compressed zlib chunk */ /* get the size of the compressed zlib chunk */
int size = get_bits(&gb, 16); int size = get_bits(&gb, 16);
if (8 * size > get_bits_left(&gb)) {
avctx->release_buffer(avctx, &s->frame);
s->frame.data[0] = NULL;
return -1;
}
if (size == 0) { if (size == 0) {
/* no change, don't do anything */ /* no change, don't do anything */