projects
/
platform
/
upstream
/
libav.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
8ba4361
)
Fix crash in MLP decoder due to integer overflow.
author
Reimar Döffinger
<Reimar.Doeffinger@gmx.de>
Sun, 24 Jan 2010 18:07:29 +0000
(18:07 +0000)
committer
Reimar Döffinger
<Reimar.Doeffinger@gmx.de>
Sun, 24 Jan 2010 18:07:29 +0000
(18:07 +0000)
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.
Originally committed as revision 21426 to svn://svn.ffmpeg.org/ffmpeg/trunk
libavcodec/mlpdec.c
patch
|
blob
|
history
diff --git
a/libavcodec/mlpdec.c
b/libavcodec/mlpdec.c
index
8060ebe
..
bfde83c
100644
(file)
--- a/
libavcodec/mlpdec.c
+++ b/
libavcodec/mlpdec.c
@@
-959,7
+959,7
@@
static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
length = (AV_RB16(buf) & 0xfff) * 2;
- if (length > buf_size)
+ if (length
< 4 || length
> buf_size)
return -1;
init_get_bits(&gb, (buf + 4), (length - 4) * 8);