diff options
author | Alex Converse <alex.converse@gmail.com> | 2012-02-10 08:21:47 +0400 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-01 20:33:28 +0400 |
commit | f5ce67d837cd686f12c515e601acd6e2a5df05a7 (patch) | |
tree | 638de98c39279ab3d427329dfcc0c877b988a0a4 /libavcodec | |
parent | b0888b8a48dbc4a5aa0aaed016b72fbbb7c30261 (diff) |
svq3: Prevent illegal reads while parsing extradata.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/svq3.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 09d598c044..662d74d6fb 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -809,7 +809,9 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) MpegEncContext *s = &h->s; int m; unsigned char *extradata; + unsigned char *extradata_end; unsigned int size; + int marker_found = 0; if (ff_h264_decode_init(avctx) < 0) return -1; @@ -829,19 +831,26 @@ static av_cold int svq3_decode_init(AVCodecContext *avctx) /* prowl for the "SEQH" marker in the extradata */ extradata = (unsigned char *)avctx->extradata; - for (m = 0; m < avctx->extradata_size; m++) { - if (!memcmp(extradata, "SEQH", 4)) - break; - extradata++; + extradata_end = avctx->extradata + avctx->extradata_size; + if (extradata) { + for (m = 0; m + 8 < avctx->extradata_size; m++) { + if (!memcmp(extradata, "SEQH", 4)) { + marker_found = 1; + break; + } + extradata++; + } } /* if a match was found, parse the extra data */ - if (extradata && !memcmp(extradata, "SEQH", 4)) { + if (marker_found) { GetBitContext gb; int frame_size_code; size = AV_RB32(&extradata[4]); + if (size > extradata_end - extradata - 8) + return AVERROR_INVALIDDATA; init_get_bits(&gb, extradata + 8, size*8); /* 'frame size code' and optional 'width, height' */ |