Merge commit 'de2e5777e225e75813daf2373c95e223651fd89a'

* commit 'de2e5777e225e75813daf2373c95e223651fd89a': 4xm: validate the buffer size before parsing it Conflicts: libavcodec/4xm.c See: 9c661e95 Merged-by: Michael Niedermayer <michaelni@gmx.at>
2024-11-25 04:30:02 +00:00 · 2013-06-13 13:41:27 +02:00 · 2013-06-13 13:41:27 +02:00 · dbddd587e1
commit dbddd587e1
parent f13f4d2b08 de2e5777e2
1 changed files with 17 additions and 11 deletions
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@ -440,7 +440,7 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame,
    if (f->version > 1) {
        extra           = 20;
        if (length < extra)
-            return -1;
+            return AVERROR_INVALIDDATA;
        bitstream_size  = AV_RL32(buf + 8);
        wordstream_size = AV_RL32(buf + 12);
        bytestream_size = AV_RL32(buf + 16);
@ -827,30 +827,36 @@ static int decode_frame(AVCodecContext *avctx, void *data,
    AVFrame *picture      = data;
    int i, frame_4cc, frame_size, ret;

-    if (buf_size < 12)
+    if (buf_size < 20)
        return AVERROR_INVALIDDATA;
-    frame_4cc = AV_RL32(buf);
-    if (buf_size != AV_RL32(buf + 4) + 8 || buf_size < 20)
+
+    if (buf_size < AV_RL32(buf + 4) + 8) {
        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n",
               buf_size, AV_RL32(buf + 4));
+        return AVERROR_INVALIDDATA;
+    }
+
+    frame_4cc = AV_RL32(buf);

    if (frame_4cc == AV_RL32("cfrm")) {
        int free_index       = -1;
+        int id, whole_size;
        const int data_size  = buf_size - 20;
-        const int id         = AV_RL32(buf + 12);
-        const int whole_size = AV_RL32(buf + 16);
        CFrameBuffer *cfrm;

-        if (data_size < 0 || whole_size < 0) {
-            av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
-            return AVERROR_INVALIDDATA;
-        }
-
        if (f->version <= 1) {
            av_log(f->avctx, AV_LOG_ERROR, "cfrm in version %d\n", f->version);
            return AVERROR_INVALIDDATA;
        }

+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
+        if (data_size < 0 || whole_size < 0) {
+            av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        for (i = 0; i < CFRAME_BUFFER_COUNT; i++)
            if (f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n",