[03/17] avidec: Make sure a packet is large enough before reading its data

Message ID 1380406879-6174-3-git-send-email-martin@martin.st
State Committed
Commit 8d07258bb6063d0780ce2d39443d6dc6d8eedc5a
Headers show

Commit Message

Martin Storsjö Sept. 28, 2013, 10:21 p.m.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavformat/avidec.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Luca Barbato Sept. 29, 2013, 6:35 a.m. | #1
On 29/09/13 00:21, Martin Storsjö wrote:
> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> CC: libav-stable@libav.org
> ---
>  libavformat/avidec.c |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 

Looks fine.

Patch

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 1212c6a..3616281 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -816,7 +816,8 @@  fail:
 
 static int read_gab2_sub(AVStream *st, AVPacket *pkt)
 {
-    if (!strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) {
+    if (pkt->size >= 7 &&
+        !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) {
         uint8_t desc[256];
         int score      = AVPROBE_SCORE_EXTENSION, ret;
         AVIStream *ast = st->priv_data;