pcx: check that the packet is large enough before reading the header

Fixes possible invalid reads. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
author: Anton Khirnov <anton@khirnov.net> 2016-08-14 10:18:39 +0200
committer: Anton Khirnov <anton@khirnov.net> 2016-08-18 17:06:46 +0200
commit: 221402c1c88b9d12130c6f5834029b535ee0e0c5 (patch)
tree: 305e504acd76690bcf49c8db6e738632ac403a69
parent: 15ee419b7abaf17f8c662c145fe93d3dbf43282b (diff)
download: ffmpeg-221402c1c88b9d12130c6f5834029b535ee0e0c5.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c
index 77b2331f0e..2191ad1503 100644
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -28,6 +28,8 @@
 #include "get_bits.h"
 #include "internal.h"
 
+#define PCX_HEADER_SIZE 128
+
 /**
  * @return advanced src pointer
  */
@@ -85,6 +87,11 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     uint8_t *scanline;
     int ret = -1;
 
+    if (buf_size < PCX_HEADER_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (buf[0] != 0x0a || buf[1] > 5) {
         av_log(avctx, AV_LOG_ERROR, "this is not PCX encoded data\n");
         return AVERROR_INVALIDDATA;
author	Anton Khirnov <anton@khirnov.net>	2016-08-14 10:18:39 +0200
committer	Anton Khirnov <anton@khirnov.net>	2016-08-18 17:06:46 +0200
commit	221402c1c88b9d12130c6f5834029b535ee0e0c5 (patch)
tree	305e504acd76690bcf49c8db6e738632ac403a69
parent	15ee419b7abaf17f8c662c145fe93d3dbf43282b (diff)
download	ffmpeg-221402c1c88b9d12130c6f5834029b535ee0e0c5.tar.gz