sanm: Check decoded_size.

This prevents a buffer overflow in rle_decode() Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 7357ca900efcf829de4cce4cec6ddc286526d417) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-01-24 00:27:10 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-02-07 01:00:02 +0100
commit: 89e16e675d3cbe76cf4581f98bf4ac300cab0286 (patch)
tree: d95537d03a3f92b1af56ddd149d5dae6178da618
parent: 4cd1dad91ae97fe1f0dd534c3f5566787566f137 (diff)
download: ffmpeg-89e16e675d3cbe76cf4581f98bf4ac300cab0286.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index e2d8c0dd2d..21073e2344 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -638,6 +638,11 @@ static int old_codec47(SANMVideoContext *ctx, int top,
     decoded_size = bytestream2_get_le32(&ctx->gb);
     bytestream2_skip(&ctx->gb, 8);
 
+    if (decoded_size > height * stride - left - top * stride) {
+        decoded_size = height * stride - left - top * stride;
+        av_log(ctx->avctx, AV_LOG_WARNING, "decoded size is too large\n");
+    }
+
     if (skip & 1)
         bytestream2_skip(&ctx->gb, 0x8080);
     if (!seq) {
author	Michael Niedermayer <michaelni@gmx.at>	2013-01-24 00:27:10 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-02-07 01:00:02 +0100
commit	89e16e675d3cbe76cf4581f98bf4ac300cab0286 (patch)
tree	d95537d03a3f92b1af56ddd149d5dae6178da618
parent	4cd1dad91ae97fe1f0dd534c3f5566787566f137 (diff)
download	ffmpeg-89e16e675d3cbe76cf4581f98bf4ac300cab0286.tar.gz