diff options
author | Luca Barbato <lu_zero@gentoo.org> | 2013-07-19 21:09:40 +0200 |
---|---|---|
committer | Luca Barbato <lu_zero@gentoo.org> | 2013-07-19 22:14:07 +0200 |
commit | dd0bfc3a6a310e3e3674ce7742672d689a9a0e93 (patch) | |
tree | c16f821299811b771047d2938ce9d4a34c4398cb | |
parent | fcae3ff124ee97c9265e3b93f3d41238b2aee9bd (diff) | |
download | ffmpeg-dd0bfc3a6a310e3e3674ce7742672d689a9a0e93.tar.gz |
dsicinav: Bound-check the source buffer when needed
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
-rw-r--r-- | libavcodec/dsicinav.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c index 7b36742279..afcb8ef7ff 100644 --- a/libavcodec/dsicinav.c +++ b/libavcodec/dsicinav.c @@ -195,11 +195,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, while (src < src_end && dst < dst_end) { code = *src++; if (code & 0x80) { + if (src >= src_end) + break; len = code - 0x7F; memset(dst, *src++, FFMIN(len, dst_end - dst)); } else { len = code + 1; - memcpy(dst, src, FFMIN(len, dst_end - dst)); + memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src)); src += len; } dst += len; |