diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-05-04 14:37:22 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-05-04 14:42:19 +0200 |
commit | e9e207ece7a22970a94a9094a12ec03250706212 (patch) | |
tree | dc4ed19e0ac62e3d296af8670dbfbc4cdda06a24 | |
parent | d18341fb1121332056aecc00096159df16d01107 (diff) | |
download | ffmpeg-e9e207ece7a22970a94a9094a12ec03250706212.tar.gz |
dfa: Put our pointer check back.
The reimplementation by Libav does not prevent out of array
writes, even though it looks like it does at a quick glance.
No FFmpeg releases are affected by this
See: d1c95d2ce39560e251fdb14f4af91b04fd7b845c
3623589edc7b1257bb45aa9e52c9631e133f22b6
740ebe468c0567cac03ef7e6b4b9fd0253b97da2
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/dfa.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 6a095b2db9..bba7626cb7 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -254,6 +254,9 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height y += skip_lines; segments = bytestream2_get_le16(gb); } + + if (frame_end <= frame) + return AVERROR_INVALIDDATA; if (segments & 0x8000) { frame[width - 1] = segments & 0xFF; segments = bytestream2_get_le16(gb); |