4xm: check bitstream_size boundary before using it

Prevent buffer overread. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org

4xm: check bitstream_size boundary before using it
Prevent buffer overread. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
59d7bb99 · Luca Barbato · fbd0dacc · 59d7bb99
Commit 59d7bb99 authored Jun 10, 2013 by Luca Barbato
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

4xm.c libavcodec/4xm.c +3 -1

No files found.
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -739,6 +739,9 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
    unsigned int prestream_size;
    const uint8_t *prestream;

+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
    if (length < bitstream_size + 12) {
        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
        return AVERROR_INVALIDDATA;
@@ -749,7 +752,6 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
    prestream      =             buf + bitstream_size + 12;

    if (prestream_size + bitstream_size + 12 != length
-        || bitstream_size > (1 << 26)
        || prestream_size > (1 << 26)) {
        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n",
               prestream_size, bitstream_size, length);