Mercurial > libavcodec.hg
comparison mlpdec.c @ 10992:9aae10c862f7 libavcodec
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.
| author | reimar |
|---|---|
| date | Sun, 24 Jan 2010 18:07:29 +0000 |
| parents | 1194d0b64bfe |
| children | 919fb8b71591 |
comparison
equal
deleted
inserted
replaced
| 10991:cf7a9b5c4064 | 10992:9aae10c862f7 |
|---|---|
| 957 if (buf_size < 4) | 957 if (buf_size < 4) |
| 958 return 0; | 958 return 0; |
| 959 | 959 |
| 960 length = (AV_RB16(buf) & 0xfff) * 2; | 960 length = (AV_RB16(buf) & 0xfff) * 2; |
| 961 | 961 |
| 962 if (length > buf_size) | 962 if (length < 4 || length > buf_size) |
| 963 return -1; | 963 return -1; |
| 964 | 964 |
| 965 init_get_bits(&gb, (buf + 4), (length - 4) * 8); | 965 init_get_bits(&gb, (buf + 4), (length - 4) * 8); |
| 966 | 966 |
| 967 m->is_major_sync_unit = 0; | 967 m->is_major_sync_unit = 0; |