dv: check buffer size before reading profile.

Message ID 20120314210242.A2FF05E088@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau March 14, 2012, 9:02 p.m.
Module: libav
Branch: release/0.8
Commit: 74871ac70ae387470a5da469157050cb2d3ed36f

Author:    Ronald S. Bultje <rsbultje@gmail.com>
Committer: Reinhard Tartler <siretart@tauware.de>
Date:      Wed Mar  7 13:48:41 2012 -0800

dv: check buffer size before reading profile.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e97efecec82ca8458a9bbd75a91ebf556abde362)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

---

 libavcodec/dvdata.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

Patch

diff --git a/libavcodec/dvdata.c b/libavcodec/dvdata.c
index 3a135a9..62e569c 100644
--- a/libavcodec/dvdata.c
+++ b/libavcodec/dvdata.c
@@ -248,11 +248,13 @@  static const DVprofile dv_profiles[] = {
 const DVprofile* avpriv_dv_frame_profile(const DVprofile *sys,
                                   const uint8_t* frame, unsigned buf_size)
 {
-   int i;
+   int i, dsf, stype;
 
-   int dsf = (frame[3] & 0x80) >> 7;
+    if (buf_size < 80*5 + 48 + 4)
+        return NULL;
 
-   int stype = frame[80*5 + 48 + 3] & 0x1f;
+   dsf = (frame[3] & 0x80) >> 7;
+   stype = frame[80*5 + 48 + 3] & 0x1f;
 
    /* 576i50 25Mbps 4:1:1 is a special case */
    if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {