avformat/ipmovie: check OPCODE_INIT_VIDEO_BUFFERS size more completely
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 22 Nov 2013 18:47:34 +0000 (19:47 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 22 Nov 2013 18:49:25 +0000 (19:49 +0100)
Fixes use of uninitialized data

Fixes: signal_sigsegv_1571228_5930_ipmovie_interplayvideo_interplay_dpcm__bislogo.mve

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/ipmovie.c

index 676363b..368c059 100644 (file)
@@ -376,7 +376,7 @@ static int process_ipmovie_chunk(IPMVEContext *s, AVIOContext *pb,
 
         case OPCODE_INIT_VIDEO_BUFFERS:
             av_dlog(NULL, "initialize video buffers\n");
-            if ((opcode_version > 2) || (opcode_size > 8)) {
+            if ((opcode_version > 2) || (opcode_size > 8) || opcode_size < 4) {
                 av_dlog(NULL, "bad init_video_buffers opcode\n");
                 chunk_type = CHUNK_BAD;
                 break;