dv: check buffer size before reading profile.

Message ID 20120307215511.77F1F5E081@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau March 7, 2012, 9:55 p.m.
Module: libav
Branch: master
Commit: e97efecec82ca8458a9bbd75a91ebf556abde362

Author:    Ronald S. Bultje <rsbultje@gmail.com>
Committer: Ronald S. Bultje <rsbultje@gmail.com>
Date:      Wed Mar  7 13:48:41 2012 -0800

dv: check buffer size before reading profile.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

---

 libavcodec/dvdata.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

Patch

diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c
index e9929d0..ac6e993 100644
--- a/libavcodec/dvdata.c
+++ b/libavcodec/dvdata.c
@@ -286,11 +286,13 @@  static const DVprofile dv_profiles[] = {
 const DVprofile* avpriv_dv_frame_profile(const DVprofile *sys,
                                   const uint8_t* frame, unsigned buf_size)
 {
-   int i;
+   int i, dsf, stype;
 
-   int dsf = (frame[3] & 0x80) >> 7;
+    if (buf_size < 80*5 + 48 + 4)
+        return NULL;
 
-   int stype = frame[80*5 + 48 + 3] & 0x1f;
+   dsf = (frame[3] & 0x80) >> 7;
+   stype = frame[80*5 + 48 + 3] & 0x1f;
 
    /* 576i50 25Mbps 4:1:1 is a special case */
    if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {