dv: check buffer size before reading profile.
authorRonald S. Bultje <rsbultje@gmail.com>
Wed, 7 Mar 2012 21:48:41 +0000 (13:48 -0800)
committerReinhard Tartler <siretart@tauware.de>
Tue, 13 Mar 2012 22:30:21 +0000 (23:30 +0100)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e97efecec82ca8458a9bbd75a91ebf556abde362)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavcodec/dvdata.c

index 3a135a9..62e569c 100644 (file)
@@ -248,11 +248,13 @@ static const DVprofile dv_profiles[] = {
 const DVprofile* avpriv_dv_frame_profile(const DVprofile *sys,
                                   const uint8_t* frame, unsigned buf_size)
 {
-   int i;
+   int i, dsf, stype;
 
-   int dsf = (frame[3] & 0x80) >> 7;
+    if (buf_size < 80*5 + 48 + 4)
+        return NULL;
 
-   int stype = frame[80*5 + 48 + 3] & 0x1f;
+   dsf = (frame[3] & 0x80) >> 7;
+   stype = frame[80*5 + 48 + 3] & 0x1f;
 
    /* 576i50 25Mbps 4:1:1 is a special case */
    if (dsf == 1 && stype == 0 && frame[4] & 0x07 /* the APT field */) {