[SCM] libav/upstream.snapshot: 4xm: check bitstream_size boundary before using it

siretart at users.alioth.debian.org siretart at users.alioth.debian.org
Sat Jul 13 06:29:03 UTC 2013


The following commit has been merged in the upstream.snapshot branch:
commit 04c29196ad70af4efe656a777cfbf6a02404303c
Author: Luca Barbato <lu_zero at gentoo.org>
Date:   Mon Jun 10 16:37:43 2013 +0200

    4xm: check bitstream_size boundary before using it
    
    Prevent buffer overread.
    
    Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable at libav.org
    (cherry picked from commit 59d7bb99b6a963b7e11c637228b2203adf535eee)
    
    Signed-off-by: Reinhard Tartler <siretart at tauware.de>

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 5602f62..cf9ad72 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -733,6 +733,9 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length)
     unsigned int prestream_size;
     const uint8_t *prestream;
 
+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
     if (length < bitstream_size + 12) {
         av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
         return AVERROR_INVALIDDATA;
@@ -743,7 +746,6 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length)
     prestream      =             buf + bitstream_size + 12;
 
     if (prestream_size + bitstream_size + 12 != length
-        || bitstream_size > (1 << 26)
         || prestream_size > (1 << 26)) {
         av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n",
                prestream_size, bitstream_size, length);

-- 
Libav/FFmpeg packaging



More information about the pkg-multimedia-commits mailing list