mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
Prevent a crash by sanity checking buffer reads.
Patch by Daniel Kang, daniel.d.kang at gmail Originally committed as revision 26251 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
parent
f5a2d285f9
commit
65cd45a88c
@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext * avctx)
|
|||||||
static int bfi_decode_frame(AVCodecContext * avctx, void *data,
|
static int bfi_decode_frame(AVCodecContext * avctx, void *data,
|
||||||
int *data_size, AVPacket *avpkt)
|
int *data_size, AVPacket *avpkt)
|
||||||
{
|
{
|
||||||
const uint8_t *buf = avpkt->data;
|
const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size;
|
||||||
int buf_size = avpkt->size;
|
int buf_size = avpkt->size;
|
||||||
BFIContext *bfi = avctx->priv_data;
|
BFIContext *bfi = avctx->priv_data;
|
||||||
uint8_t *dst = bfi->dst;
|
uint8_t *dst = bfi->dst;
|
||||||
@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
|
|||||||
unsigned int code = byte >> 6;
|
unsigned int code = byte >> 6;
|
||||||
unsigned int length = byte & ~0xC0;
|
unsigned int length = byte & ~0xC0;
|
||||||
|
|
||||||
|
if (buf >= buf_end) {
|
||||||
|
av_log(avctx, AV_LOG_ERROR, "Input resolution larger than actual frame.\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
/* Get length and offset(if required) */
|
/* Get length and offset(if required) */
|
||||||
if (length == 0) {
|
if (length == 0) {
|
||||||
if (code == 1) {
|
if (code == 1) {
|
||||||
@ -121,6 +126,10 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
|
|||||||
switch (code) {
|
switch (code) {
|
||||||
|
|
||||||
case 0: //Normal Chain
|
case 0: //Normal Chain
|
||||||
|
if (length >= buf_end - buf) {
|
||||||
|
av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
bytestream_get_buffer(&buf, dst, length);
|
bytestream_get_buffer(&buf, dst, length);
|
||||||
dst += length;
|
dst += length;
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user