4xm: check bitstream_size boundary before using it

author Luca Barbato <lu_zero@gentoo.org>

Mon, 10 Jun 2013 14:37:43 +0000 (16:37 +0200)

committer Luca Barbato <lu_zero@gentoo.org>

Wed, 12 Jun 2013 12:45:46 +0000 (14:45 +0200)
author Luca Barbato <lu_zero@gentoo.org>
Mon, 10 Jun 2013 14:37:43 +0000 (16:37 +0200)
committer Luca Barbato <lu_zero@gentoo.org>
Wed, 12 Jun 2013 12:45:46 +0000 (14:45 +0200)
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c

index 5814c3a..a4e6965 100644 (file)
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -739,6 +739,9 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
      unsigned int prestream_size;
      const uint8_t *prestream;
  
+    if (bitstream_size > (1 << 26))
+        return AVERROR_INVALIDDATA;
+
      if (length < bitstream_size + 12) {
          av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
          return AVERROR_INVALIDDATA;
@@ -749,7 +752,6 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
      prestream      =             buf + bitstream_size + 12;
  
      if (prestream_size + bitstream_size + 12 != length
-        || bitstream_size > (1 << 26)
          || prestream_size > (1 << 26)) {
          av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n",
                 prestream_size, bitstream_size, length);
author	Luca Barbato <lu_zero@gentoo.org>
	Mon, 10 Jun 2013 14:37:43 +0000 (16:37 +0200)
committer	Luca Barbato <lu_zero@gentoo.org>
	Wed, 12 Jun 2013 12:45:46 +0000 (14:45 +0200)