Mercurial > libavcodec.hg
comparison mlpdec.c @ 10992:9aae10c862f7 libavcodec
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.
author | reimar |
---|---|
date | Sun, 24 Jan 2010 18:07:29 +0000 |
parents | 1194d0b64bfe |
children | 919fb8b71591 |
comparison
equal
deleted
inserted
replaced
10991:cf7a9b5c4064 | 10992:9aae10c862f7 |
---|---|
957 if (buf_size < 4) | 957 if (buf_size < 4) |
958 return 0; | 958 return 0; |
959 | 959 |
960 length = (AV_RB16(buf) & 0xfff) * 2; | 960 length = (AV_RB16(buf) & 0xfff) * 2; |
961 | 961 |
962 if (length > buf_size) | 962 if (length < 4 || length > buf_size) |
963 return -1; | 963 return -1; |
964 | 964 |
965 init_get_bits(&gb, (buf + 4), (length - 4) * 8); | 965 init_get_bits(&gb, (buf + 4), (length - 4) * 8); |
966 | 966 |
967 m->is_major_sync_unit = 0; | 967 m->is_major_sync_unit = 0; |