From 0d01c9810ab6cae29d8af2529ebf30b6a3338555 Mon Sep 17 00:00:00 2001 From: Shitiz Garg Date: Wed, 14 Dec 2011 18:29:21 +0530 Subject: [PATCH] 4xm: added a check to keep in buffer's limit decode_frame may attempt to read from outside the buffer's limit Fixes bugzilla #135 --- libavcodec/4xm.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 21bde52..3198474 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -653,7 +653,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ return 0; } -static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ +static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length, int buf_size){ int x, y; const int width= f->avctx->width; const int height= f->avctx->height; @@ -664,6 +664,11 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){ unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4); const uint8_t *prestream= buf + bitstream_size + 12; + if (buf_size < bitstream_size + 12) { + av_log(f->avctx, AV_LOG_ERROR, "attempting to read from outside the buffer\n"); + return; + } + if(prestream_size + bitstream_size + 12 != length || bitstream_size > (1<<26) || prestream_size > (1<<26)){ @@ -791,7 +796,7 @@ static int decode_frame(AVCodecContext *avctx, return -1; }else if(frame_4cc == AV_RL32("ifrm")){ p->pict_type= AV_PICTURE_TYPE_I; - if(decode_i_frame(f, buf, frame_size) < 0) + if(decode_i_frame(f, buf, frame_size, buf_size) < 0) return -1; }else if(frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")){ if(!f->last_picture.data[0]){ -- 1.7.5.4