[FFmpeg-cvslog] truemotion2dec: Fix overread of input.

Michael Niedermayer git at videolan.org
Sat Mar 24 18:18:26 CET 2012


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sat Mar 24 17:42:14 2012 +0100| [9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6] | committer: Michael Niedermayer

truemotion2dec: Fix overread of input.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6
---

 libavcodec/truemotion2.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 1ccac32..e29845c 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -256,6 +256,11 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     int len, toks;
     TM2Codes codes;
 
+    if (buf_size < 4) {
+        av_log(ctx->avctx, AV_LOG_ERROR, "not enough space for len left\n");
+        return -1;
+    }
+
     /* get stream length in dwords */
     len = AV_RB32(buf); buf += 4; cur += 4;
     skip = len * 4 + 4;
@@ -795,7 +800,7 @@ static int decode_frame(AVCodecContext *avctx,
     }
 
     for(i = 0; i < TM2_NUM_STREAMS; i++){
-        t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size);
+        t = tm2_read_stream(l, l->buffer + skip, tm2_stream_order[i], buf_size - skip);
         if(t == -1){
             return -1;
         }



More information about the ffmpeg-cvslog mailing list