xenia-project/FFmpeg
1
0
Fork 0
mirror of https://github.com/xenia-project/FFmpeg.git synced 2024-12-03 00:56:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rmdec: Limit videobufsize to remaining amount of data

Browse Source 
Fixes excessive memory allocation

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-01-07 21:31:40 +01:00
parent f65daf577a
commit 0780fe2740
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavformat/rmdec.c
View File

@ -25,6 +25,7 @@
#include "libavutil/intreadwrite.h"
#include "libavutil/dict.h"
#include "avformat.h"
#include "avio_internal.h"
#include "internal.h"
#include "rmsipr.h"
#include "rm.h"
@ -696,6 +697,10 @@ static int rm_assemble_video_frame(AVFormatContext *s, AVIOContext *pb,
*pseq = seq;
if((seq & 0x7F) == 1 || vst->curpic_num != pic_num){
if (len2 > ffio_limit(pb, len2)) {
av_log(s, AV_LOG_ERROR, "Impossibly sized packet\n");
return AVERROR_INVALIDDATA;
}
vst->slices = ((hdr & 0x3F) << 1) + 1;
vst->videobufsize = len2 + 8*vst->slices + 1;
av_free_packet(&vst->pkt); //FIXME this should be output.