Merge commit 'de2e5777'

* commit 'de2e5777': 4xm: validate the buffer size before parsing it Conflicts: libavcodec/4xm.c See: 9c661e95Merged-by: Michael Niedermayer <michaelni@gmx.at>

Merge commit 'de2e5777'
* commit 'de2e5777': 4xm: validate the buffer size before parsing it Conflicts: libavcodec/4xm.c See: 9c661e95Merged-by: Michael Niedermayer <michaelni@gmx.at>
dbddd587 · Michael Niedermayer · f13f4d2b · de2e5777 · dbddd587
Commit dbddd587 authored Jun 13, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 10 deletions

4xm.c libavcodec/4xm.c +16 -10

No files found.
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -440,7 +440,7 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame,
    if (f->version > 1) {
        extra           = 20;
        if (length < extra)
-            return -1;
+            return AVERROR_INVALIDDATA;
        bitstream_size  = AV_RL32(buf + 8);
        wordstream_size = AV_RL32(buf + 12);
        bytestream_size = AV_RL32(buf + 16);
@@ -827,27 +827,33 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    AVFrame *picture      = data;
    int i, frame_4cc, frame_size, ret;

-    if (buf_size < 12)
+    if (buf_size < 20)
        return AVERROR_INVALIDDATA;
-    frame_4cc = AV_RL32(buf);
-    if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20)
+
+    if (buf_size < AV_RL32(buf + 4) + 8) {
        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n",
               buf_size, AV_RL32(buf + 4));
+        return AVERROR_INVALIDDATA;
+    }
+
+    frame_4cc = AV_RL32(buf);

    if (frame_4cc == AV_RL32("cfrm")) {
        int free_index       = -1;
+        int id, whole_size;
        const int data_size  = buf_size - 20;
-        const int id         = AV_RL32(buf + 12);
-        const int whole_size = AV_RL32(buf + 16);
        CFrameBuffer *cfrm;

-        if (data_size < 0 || whole_size < 0) {
-            av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
+        if (f->version <= 1) {
+            av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version);
            return AVERROR_INVALIDDATA;
        }

-        if (f->version <= 1) {
-            av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version);
+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
+        if (data_size < 0 || whole_size < 0) {
+            av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
            return AVERROR_INVALIDDATA;
        }