From b8fb21e902f83d8bd8dc340a52cadfd64e685774 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Thu, 4 Mar 2010 19:10:44 +0000
Subject: Fixed buffer overread in flashsv decoder.

Originally committed as revision 22210 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/flashsv.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'libavcodec/flashsv.c')

diff --git a/libavcodec/flashsv.c b/libavcodec/flashsv.c
index 8870fe63a8..b2bdffe7c9 100644
--- a/libavcodec/flashsv.c
+++ b/libavcodec/flashsv.c
@@ -113,6 +113,8 @@ static int flashsv_decode_frame(AVCodecContext *avctx,
     /* no supplementary picture */
     if (buf_size == 0)
         return 0;
+    if (buf_size < 4)
+        return -1;
 
     init_get_bits(&gb, buf, buf_size * 8);
 
@@ -181,6 +183,11 @@ static int flashsv_decode_frame(AVCodecContext *avctx,
 
             /* get the size of the compressed zlib chunk */
             int size = get_bits(&gb, 16);
+            if (8 * size > get_bits_left(&gb)) {
+                avctx->release_buffer(avctx, &s->frame);
+                s->frame.data[0] = NULL;
+                return -1;
+            }
 
             if (size == 0) {
                 /* no change, don't do anything */
-- 
cgit v1.2.3