From 39c5cd601ef09b1a540471960cb3a7e3ba17cb3c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Nov 2012 02:50:59 +0100 Subject: [PATCH] vmnc: check input size before reading chunk header, fix overread Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/vmnc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c index 62a1312de6..d3c86f1f97 100644 --- a/libavcodec/vmnc.c +++ b/libavcodec/vmnc.c @@ -332,6 +332,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac src += 2; chunks = AV_RB16(src); src += 2; while(chunks--) { + if(buf_size - (src - buf) < 12) { + av_log(avctx, AV_LOG_ERROR, "Premature end of data!\n"); + return -1; + } dx = AV_RB16(src); src += 2; dy = AV_RB16(src); src += 2; w = AV_RB16(src); src += 2;