Mercurial > libavcodec.hg
changeset 9365:48813960f5d5 libavcodec
Fix crash when max_ref_frames was out of range.
This might have been exploitable.
Fixes first crash of issue840.
author | michael |
---|---|
date | Thu, 09 Apr 2009 15:17:03 +0000 |
parents | 7cee7292d5cc |
children | 48eb9ec4e318 |
files | snow.c |
diffstat | 1 files changed, 8 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/snow.c Thu Apr 09 11:54:13 2009 +0000 +++ b/snow.c Thu Apr 09 15:17:03 2009 +0000 @@ -3554,7 +3554,7 @@ } static int decode_header(SnowContext *s){ - int plane_index; + int plane_index, tmp; uint8_t kstate[32]; memset(kstate, MID_STATE, sizeof(kstate)); @@ -3583,7 +3583,12 @@ s->chroma_v_shift= get_symbol(&s->c, s->header_state, 0); s->spatial_scalability= get_rac(&s->c, s->header_state); // s->rate_scalability= get_rac(&s->c, s->header_state); - s->max_ref_frames= get_symbol(&s->c, s->header_state, 0)+1; + tmp= get_symbol(&s->c, s->header_state, 0)+1; + if(tmp < 1 || tmp > MAX_REF_FRAMES){ + av_log(s->avctx, AV_LOG_ERROR, "reference frame count is %d\n", tmp); + return -1; + } + s->max_ref_frames= tmp; decode_qlogs(s); } @@ -3649,6 +3654,7 @@ int i, j; s->avctx= avctx; + s->max_ref_frames=1; //just make sure its not an invalid value in case of no initial keyframe dsputil_init(&s->dsp, avctx);