aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2013-07-12 12:57:17 +0200
committerMichael Niedermayer <michaelni@gmx.at>2013-07-12 12:58:13 +0200
commit50617fce073ca3e360388b38a83341e37db92b80 (patch)
tree68d2e0a250dbb5ae9a935031f385e9239f4a86b2
parent54bbb9056801b778126a4bf5036d9d3638da1802 (diff)
parent3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22 (diff)
downloadffmpeg-50617fce073ca3e360388b38a83341e37db92b80.tar.gz
Merge commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22'
* commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22': pcx: Do not overread source buffer in pcx_rle_decode Conflicts: libavcodec/pcx.c See: 8cd1c0febe88b757e915e9af15559575c21ca728 Bytestream based system is left in place and not switched to buf+end, such switch would be a step backward Merged-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/pcx.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c
index 42d42b2397..67bc839efb 100644
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -28,17 +28,19 @@
#include "get_bits.h"
#include "internal.h"
-static void pcx_rle_decode(GetByteContext *gb, uint8_t *dst,
- unsigned int bytes_per_scanline, int compressed)
+static void pcx_rle_decode(GetByteContext *gb,
+ uint8_t *dst,
+ unsigned int bytes_per_scanline,
+ int compressed)
{
unsigned int i = 0;
unsigned char run, value;
if (compressed) {
- while (i < bytes_per_scanline) {
+ while (i < bytes_per_scanline && bytestream2_get_bytes_left(gb)>0) {
run = 1;
value = bytestream2_get_byte(gb);
- if (value >= 0xc0) {
+ if (value >= 0xc0 && bytestream2_get_bytes_left(gb)>0) {
run = value & 0x3f;
value = bytestream2_get_byte(gb);
}
@@ -104,7 +106,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
bytes_per_line = bytestream2_get_le16u(&gb);
bytes_per_scanline = nplanes * bytes_per_line;
- if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8) {
+ if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8 ||
+ (!compressed && bytes_per_scanline > bytestream2_get_bytes_left(&gb) / h)) {
av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n");
return AVERROR_INVALIDDATA;
}