[FFmpeg-cvslog] 4xm: validate the buffer size before parsing it

Luca Barbato git at videolan.org
Mon Nov 4 17:37:40 CET 2013 

ffmpeg | branch: release/0.10 | Luca Barbato <lu_zero at gentoo.org> | Fri Jun  7 16:16:46 2013 +0200| [cd9b0bb07a66d3299bd62922e9dfa742219abe79] | committer: Luca Barbato

4xm: validate the buffer size before parsing it

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit de2e5777e225e75813daf2373c95e223651fd89a)

Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd9b0bb07a66d3299bd62922e9dfa742219abe79
---

 libavcodec/4xm.c |   24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 77d15d5..52c16cf 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -382,6 +382,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
     unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;
 
     if(f->version>1){
+        if (length < 20)
+            return AVERROR_INVALIDDATA;
         extra=20;
         bitstream_size= AV_RL32(buf+8);
         wordstream_size= AV_RL32(buf+12);
@@ -734,18 +736,28 @@ static int decode_frame(AVCodecContext *avctx,
     AVFrame *p, temp;
     int i, frame_4cc, frame_size;
 
-    frame_4cc= AV_RL32(buf);
-    if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
-        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
+    if (buf_size < 20)
+        return AVERROR_INVALIDDATA;
+
+    if (buf_size < AV_RL32(buf + 4) + 8) {
+        av_log(f->avctx, AV_LOG_ERROR,
+               "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
     }
 
+    frame_4cc = AV_RL32(buf);
+
     if(frame_4cc == AV_RL32("cfrm")){
         int free_index=-1;
-        const int data_size= buf_size - 20;
-        const int id= AV_RL32(buf+12);
-        const int whole_size= AV_RL32(buf+16);
+        int id, whole_size;
+        const int data_size = buf_size - 20;
         CFrameBuffer *cfrm;
 
+        if (data_size < 0)
+            return AVERROR_INVALIDDATA;
+
+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
         for(i=0; i<CFRAME_BUFFER_COUNT; i++){
             if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                 av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);

More information about the ffmpeg-cvslog mailing list