summaryrefslogtreecommitdiff
path: root/libavcodec/4xm.c
diff options
context:
space:
mode:
authorLuca Barbato <lu_zero@gentoo.org>2013-06-10 16:37:43 +0200
committerLuca Barbato <lu_zero@gentoo.org>2013-06-12 14:45:46 +0200
commit59d7bb99b6a963b7e11c637228b2203adf535eee (patch)
tree0d128688b7d0a057c988cdaeb8f69409833cac8f /libavcodec/4xm.c
parentfbd0dacc8d61ab418b3fa8e7be22017558323e56 (diff)
downloadffmpeg-59d7bb99b6a963b7e11c637228b2203adf535eee.tar.gz
4xm: check bitstream_size boundary before using it
Prevent buffer overread. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec/4xm.c')
-rw-r--r--libavcodec/4xm.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 5814c3afd4..a4e6965fe0 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -739,6 +739,9 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
unsigned int prestream_size;
const uint8_t *prestream;
+ if (bitstream_size > (1 << 26))
+ return AVERROR_INVALIDDATA;
+
if (length < bitstream_size + 12) {
av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
return AVERROR_INVALIDDATA;
@@ -749,7 +752,6 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
prestream = buf + bitstream_size + 12;
if (prestream_size + bitstream_size + 12 != length
- || bitstream_size > (1 << 26)
|| prestream_size > (1 << 26)) {
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n",
prestream_size, bitstream_size, length);