Commit 80df1ad8 authored by fenrir's avatar fenrir

Fixed buffer overread in flashsv decoder.


git-svn-id: file:///var/local/repositories/ffmpeg/trunk@22210 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
parent 90e495e4
...@@ -113,6 +113,8 @@ static int flashsv_decode_frame(AVCodecContext *avctx, ...@@ -113,6 +113,8 @@ static int flashsv_decode_frame(AVCodecContext *avctx,
/* no supplementary picture */ /* no supplementary picture */
if (buf_size == 0) if (buf_size == 0)
return 0; return 0;
if (buf_size < 4)
return -1;
init_get_bits(&gb, buf, buf_size * 8); init_get_bits(&gb, buf, buf_size * 8);
...@@ -181,6 +183,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx, ...@@ -181,6 +183,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx,
/* get the size of the compressed zlib chunk */ /* get the size of the compressed zlib chunk */
int size = get_bits(&gb, 16); int size = get_bits(&gb, 16);
if (8 * size > get_bits_left(&gb)) {
avctx->release_buffer(avctx, &s->frame);
s->frame.data[0] = NULL;
return -1;
}
if (size == 0) { if (size == 0) {
/* no change, don't do anything */ /* no change, don't do anything */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment