Skip to content

F
ffmpeg.wasm-core
Commit 9879b506 authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

truemotion2dec: Fix overread of input. 

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 71e78e1f
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 1 deletion
libavcodec/truemotion2.c
View file @ 9879b506
...@@ -256,6 +256,11 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i ...@@ -256,6 +256,11 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
int len, toks; int len, toks;
TM2Codes codes; TM2Codes codes;
if (buf_size < 4) {
av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n");
return -1;
}
/* get stream length in dwords */ /* get stream length in dwords */
len = AV_RB32(buf); buf += 4; cur += 4; len = AV_RB32(buf); buf += 4; cur += 4;
skip = len * 4 + 4; skip = len * 4 + 4;
...@@ -795,7 +800,7 @@ static int decode_frame(AVCodecContext *avctx, ...@@ -795,7 +800,7 @@ static int decode_frame(AVCodecContext *avctx,
} }
for(i = 0; i < TM2_NUM_STREAMS; i++){ for(i = 0; i < TM2_NUM_STREAMS; i++){
t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size); t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip);
if(t == -1){ if(t == -1){
return -1; return -1;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment