avcodec/flashsv: Check size before updating it

Fixes out of array read
Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
pull/160/head
Michael Niedermayer 9 years ago
parent e04126072e
commit 17705f5d4f
  1. 8
      libavcodec/flashsv.c

@ -413,6 +413,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
} }
if (has_diff) { if (has_diff) {
if (size < 3) {
av_log(avctx, AV_LOG_ERROR, "size too small for diff\n");
return AVERROR_INVALIDDATA;
}
if (!s->keyframe) { if (!s->keyframe) {
av_log(avctx, AV_LOG_ERROR, av_log(avctx, AV_LOG_ERROR,
"Inter frame without keyframe\n"); "Inter frame without keyframe\n");
@ -440,6 +444,10 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
int row = get_bits(&gb, 8); int row = get_bits(&gb, 8);
av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n", av_log(avctx, AV_LOG_DEBUG, "%dx%d zlibprime_curr %dx%d\n",
i, j, col, row); i, j, col, row);
if (size < 3) {
av_log(avctx, AV_LOG_ERROR, "size too small for zlibprime_curr\n");
return AVERROR_INVALIDDATA;
}
size -= 2; size -= 2;
avpriv_request_sample(avctx, "zlibprime_curr"); avpriv_request_sample(avctx, "zlibprime_curr");
return AVERROR_PATCHWELCOME; return AVERROR_PATCHWELCOME;

Loading…
Cancel
Save