apps/ffmpeg-rockchip
1
0
Fork 0
mirror of https://github.com/nyanmisaka/ffmpeg-rockchip.git synced 2025-10-31 04:26:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

proresdec: check input size before reading qmats, prevent overreading.

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2012-11-11 20:51:30 +01:00
parent 7faa17764a
commit c871244306
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/proresdec2.c
View File

@@ -133,6 +133,10 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
av_dlog(avctx, "flags %x\n", flags); av_dlog(avctx, "flags %x\n", flags);
if (flags & 2) { if (flags & 2) {
if(buf + data_size - ptr < 64) {
av_log(avctx, AV_LOG_ERROR, "Header truncated\n");
return -1;
}
permute(ctx->qmat_luma, ctx->prodsp.idct_permutation, ptr); permute(ctx->qmat_luma, ctx->prodsp.idct_permutation, ptr);
ptr += 64; ptr += 64;
} else { } else {
@@ -140,6 +144,10 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
} }
if (flags & 1) { if (flags & 1) {
if(buf + data_size - ptr < 64) {
av_log(avctx, AV_LOG_ERROR, "Header truncated\n");
return -1;
}
permute(ctx->qmat_chroma, ctx->prodsp.idct_permutation, ptr); permute(ctx->qmat_chroma, ctx->prodsp.idct_permutation, ptr);
} else { } else {
memset(ctx->qmat_chroma, 4, 64); memset(ctx->qmat_chroma, 4, 64);