vble: check packet size.
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 29 Nov 2012 22:10:03 +0000 (23:10 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Thu, 29 Nov 2012 22:12:42 +0000 (23:12 +0100)
Fixes null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/vble.c

index 448006a..2c68178 100644 (file)
@@ -127,6 +127,11 @@ static int vble_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     if (pic->data[0])
         avctx->release_buffer(avctx, pic);
 
+    if (avpkt->size < 4 || avpkt->size - 4 > INT_MAX/8) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid packet size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Allocate buffer */
     if (avctx->get_buffer(avctx, pic) < 0) {
         av_log(avctx, AV_LOG_ERROR, "Could not allocate buffer.\n");