From cd9b0bb07a66d3299bd62922e9dfa742219abe79 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Fri, 7 Jun 2013 16:16:46 +0200
Subject: [PATCH] 4xm: validate the buffer size before parsing it

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit de2e5777e225e75813daf2373c95e223651fd89a)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/4xm.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 77d15d5803..52c16cfd77 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -382,6 +382,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
     unsigned int bitstream_size, bytestream_size, wordstream_size, extra, bytestream_offset, wordstream_offset;
 
     if(f->version>1){
+        if (length < 20)
+            return AVERROR_INVALIDDATA;
         extra=20;
         bitstream_size= AV_RL32(buf+8);
         wordstream_size= AV_RL32(buf+12);
@@ -734,18 +736,28 @@ static int decode_frame(AVCodecContext *avctx,
     AVFrame *p, temp;
     int i, frame_4cc, frame_size;
 
-    frame_4cc= AV_RL32(buf);
-    if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
-        av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
+    if (buf_size < 20)
+        return AVERROR_INVALIDDATA;
+
+    if (buf_size < AV_RL32(buf + 4) + 8) {
+        av_log(f->avctx, AV_LOG_ERROR,
+               "size mismatch %d %d\n", buf_size, AV_RL32(buf + 4));
     }
 
+    frame_4cc = AV_RL32(buf);
+
     if(frame_4cc == AV_RL32("cfrm")){
         int free_index=-1;
-        const int data_size= buf_size - 20;
-        const int id= AV_RL32(buf+12);
-        const int whole_size= AV_RL32(buf+16);
+        int id, whole_size;
+        const int data_size = buf_size - 20;
         CFrameBuffer *cfrm;
 
+        if (data_size < 0)
+            return AVERROR_INVALIDDATA;
+
+        id         = AV_RL32(buf + 12);
+        whole_size = AV_RL32(buf + 16);
+
         for(i=0; i<CFRAME_BUFFER_COUNT; i++){
             if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
                 av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);