lagarith: check count before writing zeros.

Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Michael Niedermayer <michaelni@gmx.at> 2012-04-14 18:28:31 +0200
committer: Reinhard Tartler <siretart@tauware.de> 2013-01-04 07:43:37 +0100
commit: 44da556815fc02ed0c763e8e8bda3ea7824b7954 (patch)
tree: 03f3362367cfc89757d7805bcf1f632dbf670a0a
parent: aa097b4d5fd41679cda6780fd8d70a3de33c6820 (diff)
download: ffmpeg-44da556815fc02ed0c763e8e8bda3ea7824b7954.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index 3d53536d13..5e00a75b5a 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -322,6 +322,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
 output_zeros:
     if (l->zeros_rem) {
         count = FFMIN(l->zeros_rem, width - i);
+        if (end - dst < count) {
+            av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         memset(dst, 0, count);
         l->zeros_rem -= count;
         dst += count;
author	Michael Niedermayer <michaelni@gmx.at>	2012-04-14 18:28:31 +0200
committer	Reinhard Tartler <siretart@tauware.de>	2013-01-04 07:43:37 +0100
commit	44da556815fc02ed0c763e8e8bda3ea7824b7954 (patch)
tree	03f3362367cfc89757d7805bcf1f632dbf670a0a
parent	aa097b4d5fd41679cda6780fd8d70a3de33c6820 (diff)
download	ffmpeg-44da556815fc02ed0c763e8e8bda3ea7824b7954.tar.gz