diff options
author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-02-28 17:04:33 -0800 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-02-29 21:43:20 +0100 |
commit | 4493af756b8f8346b1e7671b487afc34c72bc16e (patch) | |
tree | 8130d5e27e3c42bc704c2533033199e9a26519b2 | |
parent | e904e9b7204b6ebd3433dd49a6c978ffb293cbdc (diff) | |
download | ffmpeg-4493af756b8f8346b1e7671b487afc34c72bc16e.tar.gz |
rpza: error out on buffer overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
-rw-r--r-- | libavcodec/rpza.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 7350ef2c4a..59c3a7b3a7 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s) color4[1] |= ((11 * ta + 21 * tb) >> 5); color4[2] |= ((21 * ta + 11 * tb) >> 5); + if (s->size - stream_ptr < n_blocks * 4) + return; while (n_blocks--) { block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { @@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s) /* Fill block with 16 colors */ case 0x00: + if (s->size - stream_ptr < 16) + return; block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ |