diff options
| author | Martin Storsjö <martin@martin.st> | 2013-09-29 00:59:50 +0300 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-10-04 03:52:10 +0200 |
| commit | 09ace619d6ccb2c0a45b5fdead29f926409fa129 (patch) | |
| tree | 08bbef12bbd82ed23b7236854337c26a26fa0a60 | |
| parent | 145de32896b37a508f11bcf11dfcc94487301716 (diff) | |
| download | ffmpeg-09ace619d6ccb2c0a45b5fdead29f926409fa129.tar.gz | |
xan: Only read within the data that actually was initialized
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit fc739b3eefa0b58d64e7661621da94a94dbc8a82)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavcodec/xan.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 0dd81f5681..369f89b18e 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -104,6 +104,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -119,13 +120,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -274,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) { unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -308,9 +309,10 @@ static int xan_wc3_decode_frame(XanContext *s) { bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, |