4xm: Add a check in decode_i_frame to prevent buffer overreads

Fixes bugzilla #135 Signed-off-by: Janne Grunau <janne-libav@jannau.net>
author: Shitiz Garg <mail@dragooon.net> 2011-12-14 18:29:21 +0530
committer: Janne Grunau <janne-libav@jannau.net> 2011-12-22 23:26:55 +0100
commit: 355d917c0bd8163a3f1c7d4a6866dac749efdb84 (patch)
tree: de41725201b932fd1bce3cf134582bc8158c3f73 /libavcodec/4xm.c
parent: 01a01bf8bdafab1c81c3039850aba042b247626f (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index ba8bb4a652..1c49ff1eba 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -653,9 +653,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
     uint16_t *dst= (uint16_t*)f->current_picture.data[0];
     const int stride= f->current_picture.linesize[0]>>1;
     const unsigned int bitstream_size= AV_RL32(buf);
-    const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
-    unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
-    const uint8_t *prestream= buf + bitstream_size + 12;
+    int token_count av_unused;
+    unsigned int prestream_size;
+    const uint8_t *prestream;
+
+    if (length < bitstream_size + 12) {
+        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    token_count    = AV_RL32(buf + bitstream_size + 8);
+    prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
+    prestream      = buf + bitstream_size + 12;
 
     if(prestream_size + bitstream_size + 12 != length
        || bitstream_size > (1<<26)
author	Shitiz Garg <mail@dragooon.net>	2011-12-14 18:29:21 +0530
committer	Janne Grunau <janne-libav@jannau.net>	2011-12-22 23:26:55 +0100
commit	355d917c0bd8163a3f1c7d4a6866dac749efdb84 (patch)
tree	de41725201b932fd1bce3cf134582bc8158c3f73 /libavcodec/4xm.c
parent	01a01bf8bdafab1c81c3039850aba042b247626f (diff)