avcodec/shorten: Check skip_bytes()
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 15 May 2015 14:48:31 +0000 (16:48 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 1 Jun 2015 21:25:21 +0000 (23:25 +0200)
Fixes CID1210526

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d201becfc0d89c6a5dfe44e96f1044fbc2aadb70)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/shorten.c

index 4e63274..7eb3ac4 100644 (file)
@@ -369,6 +369,11 @@ static int read_header(ShortenContext *s)
         s->nmean = get_uint(s, 0);
 
         skip_bytes = get_uint(s, NSKIPSIZE);
+        if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) {
+            av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes);
+            return AVERROR_INVALIDDATA;
+        }
+
         for (i = 0; i < skip_bytes; i++)
             skip_bits(&s->gb, 8);
     }