Commit 17705f5d authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/flashsv: Check size before updating it

Fixes out of array read
Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent e0412607
......@@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
}
if (has_diff) {
if (size < 3) {
av_log(avctx, AV_LOG_ERROR, "size too small for diff\n");
return AVERROR_INVALIDDATA;
}
if (!s->keyframe) {
av_log(avctx, AV_LOG_ERROR,
"Inter frame without keyframe\n");
......@@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
int row = get_bits(&gb, 8);
av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n",
i, j, col, row);
if (size < 3) {
av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n");
return AVERROR_INVALIDDATA;
}
size -= 2;
avpriv_request_sample(avctx, "zlibprime_curr");
return AVERROR_PATCHWELCOME;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment