Mercurial > libavcodec.hg

changeset 10992:9aae10c862f7 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix crash in MLP decoder due to integer overflow. Probably only DoS, init_get_bits sets buffer to NULL, thus causing a NULL-dereference directly after.
author reimar
date Sun, 24 Jan 2010 18:07:29 +0000
parents cf7a9b5c4064
children 3932fd1a1c25
files mlpdec.c
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mlpdec.c	Sun Jan 24 18:05:02 2010 +0000
+++ b/mlpdec.c	Sun Jan 24 18:07:29 2010 +0000
@@ -959,7 +959,7 @@
 
     length = (AV_RB16(buf) & 0xfff) * 2;
 
-    if (length > buf_size)
+    if (length < 4 || length > buf_size)
         return -1;
 
     init_get_bits(&gb, (buf + 4), (length - 4) * 8);