diff options
| author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-08 16:32:46 -0800 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-03-14 20:47:19 +0100 |
| commit | 8f881885c2325ce83f114437b97c2e0d6001cd7d (patch) | |
| tree | 8c04985b3f9bd460e196390e9c0f88a115ddfd30 | |
| parent | 26521d87ba22fe1bb49f1f0796c7227017064e7f (diff) | |
| download | ffmpeg-8f881885c2325ce83f114437b97c2e0d6001cd7d.tar.gz | |
xxan: don't read before start of buffer in av_memcpy_backptr().
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit f1279e286b00e99f343adb51e251f036a3df6f32)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavcodec/xxan.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 58c80c05fa..12a261b49f 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -129,7 +129,8 @@ static int xan_unpack(uint8_t *dest, const int dest_len, if (size + size2 > dest_end - dest) break; } - if (src + size > src_end || dest + size + size2 > dest_end) + if (src + size > src_end || dest + size + size2 > dest_end || + dest - orig_dest + size < back) return -1; bytestream_get_buffer(&src, dest, size); dest += size; |