virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00
Code Issues Releases Activity

truemotion2dec: Fix overread of input.

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-03-24 17:42:14 +01:00
parent 71e78e1f51
commit 9879b506b0
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/truemotion2.c
View File

@ -256,6 +256,11 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
int len, toks; int len, toks;
TM2Codes codes; TM2Codes codes;
if (buf_size < 4) {
av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n");
return -1;
}
/* get stream length in dwords */ /* get stream length in dwords */
len = AV_RB32(buf); buf += 4; cur += 4; len = AV_RB32(buf); buf += 4; cur += 4;
skip = len * 4 + 4; skip = len * 4 + 4;
@ -795,7 +800,7 @@ static int decode_frame(AVCodecContext *avctx,
} }
for(i = 0; i < TM2_NUM_STREAMS; i++){ for(i = 0; i < TM2_NUM_STREAMS; i++){
t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size); t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip);
if(t == -1){ if(t == -1){
return -1; return -1;
} }