[libav-commits] truemotion2: check size before GetBitContext initialisation

Janne Grunau git at libav.org
Thu Jan 5 23:19:52 CET 2012


Module: libav
Branch: master
Commit: 696ace50ea91a65dff887aaf5296f42a2fbc8f6c

Author:    Janne Grunau <janne-libav at jannau.net>
Committer: Janne Grunau <janne-libav at jannau.net>
Date:      Thu Jan  5 21:28:03 2012 +0100

truemotion2: check size before GetBitContext initialisation

Prevents null ptr derefence for negative sizes.

---

 libavcodec/truemotion2.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 8d72bb6..4045342 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -272,6 +272,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
             len = AV_RB32(buf); buf += 4; cur += 4;
         }
         if(len > 0) {
+            if (skip <= cur)
+                return -1;
             init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
             if(tm2_read_deltas(ctx, stream_id) == -1)
                 return -1;
@@ -286,6 +288,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     buf += 4; cur += 4;
     buf += 4; cur += 4; /* unused by decoder */
 
+    if (skip <= cur)
+        return -1;
     init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
     if(tm2_build_huff_table(ctx, &codes) == -1)
         return -1;
@@ -303,6 +307,8 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     ctx->tok_lens[stream_id] = toks;
     len = AV_RB32(buf); buf += 4; cur += 4;
     if(len > 0) {
+        if (skip <= cur)
+            return -1;
         init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
         for(i = 0; i < toks; i++) {
             if (get_bits_left(&ctx->gb) <= 0) {



More information about the libav-commits mailing list