ffmpeg | branch: master | Paul B Mahol <one...@gmail.com> | Tue Jun 27 15:46:08 2017 +0200| [feab761b73c37311a23a6cbbcee1ddf56439d5a4] | committer: Paul B Mahol
avcodec/interplayvideo: properly check if there is enough bytes left Signed-off-by: Paul B Mahol <one...@gmail.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=feab761b73c37311a23a6cbbcee1ddf56439d5a4 --- libavcodec/interplayvideo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/interplayvideo.c b/libavcodec/interplayvideo.c index 421de26cb1..2ac2f991a6 100644 --- a/libavcodec/interplayvideo.c +++ b/libavcodec/interplayvideo.c @@ -1233,6 +1233,10 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, s->decoding_map_size = ((s->avctx->width / 8) * (s->avctx->height / 8)) * 2; s->decoding_map = buf + 8 + 14; /* 14 bits of op data */ video_data_size -= s->decoding_map_size + 14; + + if (buf_size < 8 + s->decoding_map_size + 14 + video_data_size) + return AVERROR_INVALIDDATA; + bytestream2_init(&s->stream_ptr, buf + 8 + s->decoding_map_size + 14, video_data_size); break; @@ -1253,6 +1257,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + if (buf_size < 8 + video_data_size + s->decoding_map_size + s->skip_map_size) + return AVERROR_INVALIDDATA; + bytestream2_init(&s->stream_ptr, buf + 8, video_data_size); s->decoding_map = buf + 8 + video_data_size; s->skip_map = buf + 8 + video_data_size + s->decoding_map_size; @@ -1270,6 +1277,9 @@ static int ipvideo_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } + if (buf_size < 8 + video_data_size + s->decoding_map_size) + return AVERROR_INVALIDDATA; + bytestream2_init(&s->stream_ptr, buf + 8, video_data_size); s->decoding_map = buf + 8 + video_data_size; _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
