zmbvdec: Check the buffer size for uncompressed data
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 11 Nov 2012 17:08:39 +0000 (18:08 +0100)
committerLuca Barbato <lu_zero@gentoo.org>
Tue, 7 Jan 2014 08:43:56 +0000 (09:43 +0100)
Also don't pointlessly set the buffer size to 1 after copying
one packet.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0d61f260010707f3028b818e8b24598e1a83d696)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
libavcodec/zmbv.c

index a36a844..9df0d53 100644 (file)
@@ -497,8 +497,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
      }
 
      if (c->comp == 0) { //Uncompressed data
+         if (c->decomp_size < len) {
+             av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
+             return AVERROR_INVALIDDATA;
+         }
          memcpy(c->decomp_buf, buf, len);
-         c->decomp_size = 1;
      } else { // ZLIB-compressed data
         c->zstream.total_in = c->zstream.total_out = 0;
         c->zstream.next_in = buf;