Commit 859a579e authored by Janne Grunau's avatar Janne Grunau

nuv: check RTjpeg header for validity

CC: libav-stable@libav.org
parent 110d015a
...@@ -184,17 +184,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, ...@@ -184,17 +184,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size,
} }
if (c->codec_frameheader) { if (c->codec_frameheader) {
int w, h, q; int w, h, q;
if (buf_size < 12) { if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE ||
buf[5] != RTJPEG_FILE_VERSION) {
av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n");
return -1; return AVERROR_INVALIDDATA;
} }
w = AV_RL16(&buf[6]); w = AV_RL16(&buf[6]);
h = AV_RL16(&buf[8]); h = AV_RL16(&buf[8]);
q = buf[10]; q = buf[10];
if (!codec_reinit(avctx, w, h, q)) if (!codec_reinit(avctx, w, h, q))
return -1; return -1;
buf = &buf[12]; buf = &buf[RTJPEG_HEADER_SIZE];
buf_size -= 12; buf_size -= RTJPEG_HEADER_SIZE;
} }
if (keyframe && c->pic.data[0]) if (keyframe && c->pic.data[0])
......
...@@ -25,6 +25,9 @@ ...@@ -25,6 +25,9 @@
#include <stdint.h> #include <stdint.h>
#include "dsputil.h" #include "dsputil.h"
#define RTJPEG_FILE_VERSION 0
#define RTJPEG_HEADER_SIZE 12
typedef struct { typedef struct {
int w, h; int w, h;
DSPContext *dsp; DSPContext *dsp;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment