Mercurial > libavcodec.hg

changeset 11363:a4596f842e18 libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed buffer overread in flashsv decoder.
author fenrir
date Thu, 04 Mar 2010 19:10:44 +0000
parents 1682a19a0881
children 4b64693d115d
files flashsv.c
diffstat 1 files changed, 7 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/flashsv.c	Thu Mar 04 12:34:15 2010 +0000
+++ b/flashsv.c	Thu Mar 04 19:10:44 2010 +0000
@@ -113,6 +113,8 @@
     /* no supplementary picture */
     if (buf_size == 0)
         return 0;
+    if (buf_size < 4)
+        return -1;
 
     init_get_bits(&gb, buf, buf_size * 8);
 
@@ -181,6 +183,11 @@
 
             /* get the size of the compressed zlib chunk */
             int size = get_bits(&gb, 16);
+            if (8 * size > get_bits_left(&gb)) {
+                avctx->release_buffer(avctx, &s->frame);
+                s->frame.data[0] = NULL;
+                return -1;
+            }
 
             if (size == 0) {
                 /* no change, don't do anything */