vp7: bound checking in vp7_decode_frame_header

Message ID 20150816180331.46D515DACE@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Aug. 16, 2015, 6:03 p.m.
Module: libav
Branch: master
Commit: 7bf9647264308d2df74b2b50669f2d02a7ecc90b

Author:    Federico Tomassetti <federico@tomassetti.me>
Committer: Luca Barbato <lu_zero@gentoo.org>
Date:      Thu Aug 13 15:35:53 2015 +0200

vp7: bound checking in vp7_decode_frame_header

CC: libav-stable@libav.org

---

 libavcodec/vp8.c |    8 ++++++++
 1 file changed, 8 insertions(+)

Patch

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index f11076a..55ebae6 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -480,6 +480,10 @@  static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
     int width  = s->avctx->width;
     int height = s->avctx->height;
 
+    if (buf_size < 4) {
+        return AVERROR_INVALIDDATA;
+    }
+
     s->profile = (buf[0] >> 1) & 7;
     if (s->profile > 1) {
         avpriv_request_sample(s->avctx, "Unknown profile %d", s->profile);
@@ -493,6 +497,10 @@  static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
     buf      += 4 - s->profile;
     buf_size -= 4 - s->profile;
 
+    if (buf_size < part1_size) {
+        return AVERROR_INVALIDDATA;
+    }
+
     memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab));
 
     ff_vp56_init_range_decoder(c, buf, part1_size);