[FFmpeg-cvslog] cdgraphics: switch to bytestream2

Tue, 12 Aug 2014 09:56:15 -0700 

ffmpeg | branch: release/0.10 | Anton Khirnov <an...@khirnov.net> | Wed Aug  6 
10:46:50 2014 +0000| [3aebdffb010df025728d6c2af89642f9634aa806] | committer: 
Anton Khirnov

cdgraphics: switch to bytestream2

Fixes possible invalid memory accesses on corrupted data.

CC:libav-sta...@libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <an...@khirnov.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3aebdffb010df025728d6c2af89642f9634aa806
---

 libavcodec/cdgraphics.c |   16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index f1f474f..dc2aa07 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -268,7 +268,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
 static int cdg_decode_frame(AVCodecContext *avctx,
                             void *data, int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data;
+    GetByteContext gb;
     int buf_size       = avpkt->size;
     int ret;
     uint8_t command, inst;
@@ -276,10 +276,8 @@ static int cdg_decode_frame(AVCodecContext *avctx,
     AVFrame new_frame;
     CDGraphicsContext *cc = avctx->priv_data;
 
-    if (buf_size < CDG_MINIMUM_PKT_SIZE) {
-        av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
-        return AVERROR(EINVAL);
-    }
+    bytestream2_init(&gb, avpkt->data, avpkt->size);
+
 
     ret = avctx->reget_buffer(avctx, &cc->frame);
     if (ret) {
@@ -287,11 +285,11 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         return ret;
     }
 
-    command = bytestream_get_byte(&buf);
-    inst    = bytestream_get_byte(&buf);
+    command = bytestream2_get_byte(&gb);
+    inst    = bytestream2_get_byte(&gb);
     inst    &= CDG_MASK;
-    buf += 2;  /// skipping 2 unneeded bytes
-    bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+    bytestream2_skip(&gb, 2);
+    bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));
 
     if ((command & CDG_MASK) == CDG_COMMAND) {
         switch (inst) {

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

Reply via email to