diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-02-18 03:56:01 +0400 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-02-18 03:56:01 +0400 |
commit | 7378101d41020ee9f4643740ebf1b9142afca557 (patch) | |
tree | d23ff231538f8385182a4138a2d874fbc72fa378 /libavcodec/vqavideo.c | |
parent | da5f4e4d19917bce4b9213ff3d433ddf30e22fe5 (diff) | |
parent | 377fabc9e687a3c73fdb235f773f6e9151378ca5 (diff) |
Merge branch 'release/0.8' into release/0.7
* release/0.8: (92 commits)
Update for 0.8.13
pngdec/filter: dont access out of array elements at the end
aacdec: check channel count
vqavideo: check chunk sizes before reading chunks
eamad: fix out of array accesses
roqvideodec: check dimensions validity
qdm2: check array index before use, fix out of array accesses
alsdec: check block length
huffyuvdec: Skip len==0 cases
huffyuvdec: Check init_vlc() return codes.
Update changelog for 0.7.7 release
mpeg12: do not decode extradata more than once.
indeo4/5: check empty tile size in decode_mb_info().
dfa: improve boundary checks in decode_dds1()
indeo5dec: Make sure we have had a valid gop header.
rv34: error out on size changes with frame threading
rtmp: fix buffer overflows in ff_amf_tag_contents()
rtmp: fix multiple broken overflow checks
Revert "h264: allow cropping to AVCodecContext.width/height"
h264: check ref_count validity for num_ref_idx_active_override_flag
...
Conflicts:
Doxyfile
RELEASE
VERSION
libavcodec/rv34.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/vqavideo.c')
-rw-r--r-- | libavcodec/vqavideo.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index d1eab5bfa1..6e1ce6c0d2 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -527,6 +527,11 @@ static void vqa_decode_chunk(VqaContext *s) chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]); cbp0_chunk += CHUNK_PREAMBLE_SIZE; + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], &s->buf[cbp0_chunk], chunk_size); @@ -550,6 +555,11 @@ static void vqa_decode_chunk(VqaContext *s) chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]); cbpz_chunk += CHUNK_PREAMBLE_SIZE; + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], &s->buf[cbpz_chunk], chunk_size); |