mpeg4videodec: Check that cplx_estimation_* fits in the available space
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 31 May 2012 16:54:00 +0000 (18:54 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Wed, 6 Jun 2012 22:55:24 +0000 (00:55 +0200)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b02cc2ddc610cd84bbee5923a642a8324988b28c)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/mpeg4videodec.c

index bd1910b..263ac99 100644 (file)
@@ -2050,6 +2050,10 @@ static int decode_vop_header(MpegEncContext *s, GetBitContext *gb){
          if(s->pict_type == AV_PICTURE_TYPE_B)
             skip_bits_long(gb, s->cplx_estimation_trash_b);
 
+         if(get_bits_left(gb) < 3) {
+             av_log(s->avctx, AV_LOG_ERROR, "Header truncated\n");
+             return -1;
+         }
          s->intra_dc_threshold= ff_mpeg4_dc_threshold[ get_bits(gb, 3) ];
          if(!s->progressive_sequence){
              s->top_field_first= get_bits1(gb);