diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-07-12 12:57:17 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2013-07-12 12:58:13 +0200 |
commit | 50617fce073ca3e360388b38a83341e37db92b80 (patch) | |
tree | 68d2e0a250dbb5ae9a935031f385e9239f4a86b2 | |
parent | 54bbb9056801b778126a4bf5036d9d3638da1802 (diff) | |
parent | 3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22 (diff) | |
download | ffmpeg-50617fce073ca3e360388b38a83341e37db92b80.tar.gz |
Merge commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22'
* commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22':
pcx: Do not overread source buffer in pcx_rle_decode
Conflicts:
libavcodec/pcx.c
See: 8cd1c0febe88b757e915e9af15559575c21ca728
Bytestream based system is left in place and not switched to buf+end, such switch would be
a step backward
Merged-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/pcx.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c index 42d42b2397..67bc839efb 100644 --- a/libavcodec/pcx.c +++ b/libavcodec/pcx.c @@ -28,17 +28,19 @@ #include "get_bits.h" #include "internal.h" -static void pcx_rle_decode(GetByteContext *gb, uint8_t *dst, - unsigned int bytes_per_scanline, int compressed) +static void pcx_rle_decode(GetByteContext *gb, + uint8_t *dst, + unsigned int bytes_per_scanline, + int compressed) { unsigned int i = 0; unsigned char run, value; if (compressed) { - while (i < bytes_per_scanline) { + while (i < bytes_per_scanline && bytestream2_get_bytes_left(gb)>0) { run = 1; value = bytestream2_get_byte(gb); - if (value >= 0xc0) { + if (value >= 0xc0 && bytestream2_get_bytes_left(gb)>0) { run = value & 0x3f; value = bytestream2_get_byte(gb); } @@ -104,7 +106,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, bytes_per_line = bytestream2_get_le16u(&gb); bytes_per_scanline = nplanes * bytes_per_line; - if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8) { + if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8 || + (!compressed && bytes_per_scanline > bytestream2_get_bytes_left(&gb) / h)) { av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n"); return AVERROR_INVALIDDATA; } |