[FFmpeg-cvslog] cdgraphics: switch to bytestream2
Anton Khirnov
git at videolan.org
Fri Aug 8 16:01:17 CEST 2014
ffmpeg | branch: release/1.1 | Anton Khirnov <anton at khirnov.net> | Wed Aug 6 10:46:50 2014 +0000| [8cd67ddde46a42a33149e7d42a2ab47852ff2a83] | committer: Anton Khirnov
cdgraphics: switch to bytestream2
Fixes possible invalid memory accesses on corrupted data.
CC:libav-stable at libav.org
Bug-ID: CVE-2013-3674
(cherry picked from commit a1599f3f7ea8478d1f6a95e59e3bc6bc86d5f812)
Signed-off-by: Anton Khirnov <anton at khirnov.net>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8cd67ddde46a42a33149e7d42a2ab47852ff2a83
---
libavcodec/cdgraphics.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index e4ed83b..8dbcd42 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -269,7 +269,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
static int cdg_decode_frame(AVCodecContext *avctx,
void *data, int *got_frame, AVPacket *avpkt)
{
- const uint8_t *buf = avpkt->data;
+ GetByteContext gb;
int buf_size = avpkt->size;
int ret;
uint8_t command, inst;
@@ -277,10 +277,8 @@ static int cdg_decode_frame(AVCodecContext *avctx,
AVFrame new_frame;
CDGraphicsContext *cc = avctx->priv_data;
- if (buf_size < CDG_MINIMUM_PKT_SIZE) {
- av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
- return AVERROR(EINVAL);
- }
+ bytestream2_init(&gb, avpkt->data, avpkt->size);
+
ret = avctx->reget_buffer(avctx, &cc->frame);
if (ret) {
@@ -288,11 +286,11 @@ static int cdg_decode_frame(AVCodecContext *avctx,
return ret;
}
- command = bytestream_get_byte(&buf);
- inst = bytestream_get_byte(&buf);
+ command = bytestream2_get_byte(&gb);
+ inst = bytestream2_get_byte(&gb);
inst &= CDG_MASK;
- buf += 2; /// skipping 2 unneeded bytes
- bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
+ bytestream2_skip(&gb, 2);
+ bytestream2_get_buffer(&gb, cdg_data, sizeof(cdg_data));
if ((command & CDG_MASK) == CDG_COMMAND) {
switch (inst) {
More information about the ffmpeg-cvslog
mailing list