4xm: Add a check in decode_i_frame to prevent buffer overreads

Fixes bugzilla FFmpeg#135 Signed-off-by: Janne Grunau <[email protected]>
zhengxj91 · Dec 22, 2011 · 355d917 · 355d917
1 parent 01a01bf
commit 355d917
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
@@ -653,9 +653,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
  uint16_t *dst= (uint16_t*)f->current_picture.data[0];
  const int stride= f->current_picture.linesize[0]>>1;
  const unsigned int bitstream_size= AV_RL32(buf);
- const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
- unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
- const uint8_t *prestream= buf + bitstream_size + 12;
+ int token_count av_unused;
+ unsigned int prestream_size;
+ const uint8_t *prestream;
+
+ if (length < bitstream_size + 12) {
+ av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ token_count = AV_RL32(buf + bitstream_size + 8);
+ prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
+ prestream = buf + bitstream_size + 12;
 
  if(prestream_size + bitstream_size + 12 != length
  || bitstream_size > (1<<26)