Skip to content

F
ffmpeg.wasm-core
Commit aae47803 authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

vmnc: Check for integer overflow 

Fixes null pointer dereference and potential out of array accesses.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 3b2cd83a
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 0 deletions
libavcodec/vmnc.c
View file @ aae47803
...@@ -345,6 +345,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac ...@@ -345,6 +345,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
size_left = buf_size - (src - buf); size_left = buf_size - (src - buf);
switch(enc) { switch(enc) {
case MAGIC_WMVd: // cursor case MAGIC_WMVd: // cursor
if (w*(int64_t)h*c->bpp2 > INT_MAX/2 - 2) {
av_log(avctx, AV_LOG_ERROR, "dimensions too large\n");
return AVERROR_INVALIDDATA;
}
if(size_left < 2 + w * h * c->bpp2 * 2) { if(size_left < 2 + w * h * c->bpp2 * 2) {
av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", 2 + w * h * c->bpp2 * 2, size_left); av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", 2 + w * h * c->bpp2 * 2, size_left);
return -1; return -1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment