Skip to content

F
ffmpeg.wasm-core
Commit dbddd587 authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

Merge commit 'de2e5777' 

* commit 'de2e5777':
  4xm: validate the buffer size before parsing it

Conflicts:
	libavcodec/4xm.c

See: 9c661e95Merged-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parents f13f4d2b de2e5777
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 10 deletions
libavcodec/4xm.c
View file @ dbddd587
...@@ -440,7 +440,7 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame, ...@@ -440,7 +440,7 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame,
if (f->version > 1) { if (f->version > 1) {
extra = 20; extra = 20;
if (length < extra) if (length < extra)
return -1; return AVERROR_INVALIDDATA;
bitstream_size = AV_RL32(buf + 8); bitstream_size = AV_RL32(buf + 8);
wordstream_size = AV_RL32(buf + 12); wordstream_size = AV_RL32(buf + 12);
bytestream_size = AV_RL32(buf + 16); bytestream_size = AV_RL32(buf + 16);
...@@ -827,27 +827,33 @@ static int decode_frame(AVCodecContext *avctx, void *data, ...@@ -827,27 +827,33 @@ static int decode_frame(AVCodecContext *avctx, void *data,
AVFrame *picture = data; AVFrame *picture = data;
int i, frame_4cc, frame_size, ret; int i, frame_4cc, frame_size, ret;
if (buf_size < 12) if (buf_size < 20)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
frame_4cc = AV_RL32(buf);
if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20) if (buf_size < AV_RL32(buf + 4) + 8) {
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n",
buf_size, AV_RL32(buf + 4)); buf_size, AV_RL32(buf + 4));
return AVERROR_INVALIDDATA;
}
frame_4cc = AV_RL32(buf);
if (frame_4cc == AV_RL32("cfrm")) { if (frame_4cc == AV_RL32("cfrm")) {
int free_index = -1; int free_index = -1;
int id, whole_size;
const int data_size = buf_size - 20; const int data_size = buf_size - 20;
const int id = AV_RL32(buf + 12);
const int whole_size = AV_RL32(buf + 16);
CFrameBuffer *cfrm; CFrameBuffer *cfrm;
if (data_size < 0 || whole_size < 0) { if (f->version <= 1) {
av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n"); av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
if (f->version <= 1) { id = AV_RL32(buf + 12);
av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version); whole_size = AV_RL32(buf + 16);
if (data_size < 0 || whole_size < 0) {
av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment