sanity checks, some might have been exploitable ...

Originally committed as revision 5369 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2006-05-13 10:45:26 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2006-05-13 10:45:26 +0000
commit: 3a1a7e32ace7af47de74e8ae779cb4e04c89aa97 (patch)
tree: 54f9925f5f74bf9ca24ede510f6deffd98f2e2c6 /libavcodec/4xm.c
parent: ce1d2a95c3d73663aecc6e5f51533d2bcf1fb1ae (diff)
download: ffmpeg-3a1a7e32ace7af47de74e8ae779cb4e04c89aa97.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 3ca2338d24..a986f151eb 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -606,7 +606,7 @@ static int decode_frame(AVCodecContext *avctx,
     int i, frame_4cc, frame_size;
 
     frame_4cc= get32(buf);
-    if(buf_size != get32(buf+4)+8){
+    if(buf_size != get32(buf+4)+8 || buf_size < 20){
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, get32(buf+4));
     }
 
@@ -634,6 +634,10 @@ static int decode_frame(AVCodecContext *avctx,
         cfrm= &f->cfrm[i];
 
         cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
+        if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
+            av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
+            return -1;
+        }
 
         memcpy(cfrm->data + cfrm->size, buf+20, data_size);
         cfrm->size += data_size;
author	Michael Niedermayer <michaelni@gmx.at>	2006-05-13 10:45:26 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2006-05-13 10:45:26 +0000
commit	3a1a7e32ace7af47de74e8ae779cb4e04c89aa97 (patch)
tree	54f9925f5f74bf9ca24ede510f6deffd98f2e2c6 /libavcodec/4xm.c
parent	ce1d2a95c3d73663aecc6e5f51533d2bcf1fb1ae (diff)
download	ffmpeg-3a1a7e32ace7af47de74e8ae779cb4e04c89aa97.tar.gz