ffmpeg | branch: master | Michael Niedermayer <mich...@niedermayer.cc> | Fri Jul 24 03:25:49 2015 +0200| [5da90d7ec3a3f5eb68bf6bd0665636d8836a39f5] | committer: Michael Niedermayer
avcodec/hapdec: Check that there is sufficient input data Fixes Ticket4729 Found-by: ami_stuff Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5da90d7ec3a3f5eb68bf6bd0665636d8836a39f5 --- libavcodec/hapdec.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/hapdec.c b/libavcodec/hapdec.c index eb779e6..f4f6ef6 100644 --- a/libavcodec/hapdec.c +++ b/libavcodec/hapdec.c @@ -307,6 +307,7 @@ static int hap_decode(AVCodecContext *avctx, void *data, HapContext *ctx = avctx->priv_data; ThreadFrame tframe; int ret, i; + int tex_size; bytestream2_init(&ctx->gbc, avpkt->data, avpkt->size); @@ -327,6 +328,7 @@ static int hap_decode(AVCodecContext *avctx, void *data, if (hap_can_use_tex_in_place(ctx)) { /* Only DXTC texture compression in a contiguous block */ ctx->tex_data = ctx->gbc.buffer; + tex_size = bytestream2_get_bytes_left(&ctx->gbc); } else { /* Perform the second-stage decompression */ ret = av_reallocp(&ctx->tex_buf, ctx->tex_size); @@ -342,6 +344,14 @@ static int hap_decode(AVCodecContext *avctx, void *data, } ctx->tex_data = ctx->tex_buf; + tex_size = ctx->tex_size; + } + + if (tex_size < (avctx->coded_width / TEXTURE_BLOCK_W) + *(avctx->coded_height / TEXTURE_BLOCK_H) + *ctx->tex_rat) { + av_log(avctx, AV_LOG_ERROR, "Insufficient data\n"); + return AVERROR_INVALIDDATA; } /* Use the decompress function on the texture, one block per thread */ _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
