1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00

Prevent a crash by sanity checking buffer reads.

Patch by Daniel Kang, daniel.d.kang at gmail

Originally committed as revision 26251 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Daniel Kang 2011-01-06 23:14:27 +00:00 committed by Carl Eugen Hoyos
parent f5a2d285f9
commit 65cd45a88c

View File

@ -47,7 +47,7 @@ static av_cold int bfi_decode_init(AVCodecContext * avctx)
static int bfi_decode_frame(AVCodecContext * avctx, void *data, static int bfi_decode_frame(AVCodecContext * avctx, void *data,
int *data_size, AVPacket *avpkt) int *data_size, AVPacket *avpkt)
{ {
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size; int buf_size = avpkt->size;
BFIContext *bfi = avctx->priv_data; BFIContext *bfi = avctx->priv_data;
uint8_t *dst = bfi->dst; uint8_t *dst = bfi->dst;
@ -99,6 +99,11 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
unsigned int code = byte >> 6; unsigned int code = byte >> 6;
unsigned int length = byte & ~0xC0; unsigned int length = byte & ~0xC0;
if (buf >= buf_end) {
av_log(avctx, AV_LOG_ERROR, "Input resolution larger than actual frame.\n");
return -1;
}
/* Get length and offset(if required) */ /* Get length and offset(if required) */
if (length == 0) { if (length == 0) {
if (code == 1) { if (code == 1) {
@ -121,6 +126,10 @@ static int bfi_decode_frame(AVCodecContext * avctx, void *data,
switch (code) { switch (code) {
case 0: //Normal Chain case 0: //Normal Chain
if (length >= buf_end - buf) {
av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n");
return -1;
}
bytestream_get_buffer(&buf, dst, length); bytestream_get_buffer(&buf, dst, length);
dst += length; dst += length;
break; break;