[FFmpeg-cvslog] fraps: fix version 0/1 input data size check.

Michael Niedermayer git at videolan.org
Thu Jun 7 01:44:20 CEST 2012


ffmpeg | branch: release/0.11 | Michael Niedermayer <michaelni at gmx.at> | Fri Jun  1 23:21:03 2012 +0200| [0964e189dafc382d06dfc78ffba55d028f7df6d5] | committer: Michael Niedermayer

fraps: fix version 0/1 input data size check.

Fixes array overread.
Fixes Ticket1371

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 0bae6661cd171abf55cfa4b8970b08c470d65dee)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0964e189dafc382d06dfc78ffba55d028f7df6d5
---

 libavcodec/fraps.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
index 30c23d8..1cf4062 100644
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -161,17 +161,17 @@ static int decode_frame(AVCodecContext *avctx,
         unsigned needed_size = avctx->width*avctx->height*3;
         if (version == 0) needed_size /= 2;
         needed_size += header_size;
-        if (buf_size != needed_size && buf_size != header_size) {
-            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid frame length %d (should be %d)\n",
-                   buf_size, needed_size);
-            return -1;
-        }
         /* bit 31 means same as previous pic */
         if (header & (1U<<31)) {
             *data_size = 0;
             return buf_size;
         }
+        if (buf_size != needed_size) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Invalid frame length %d (should be %d)\n",
+                   buf_size, needed_size);
+            return -1;
+        }
     } else {
         /* skip frame */
         if (buf_size == 8) {



More information about the ffmpeg-cvslog mailing list