diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2015-09-10 14:46:05 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2015-09-11 18:19:00 +0200 |
| commit | 9b5a4a9cce3042558e107ae1ed30d9bf3d867a35 (patch) | |
| tree | dee40c8cdeae2a4d7cbb02ee6a4923fe7e240e95 | |
| parent | 41ed749fe987e60b0485fa721ad869590651324d (diff) | |
| download | ffmpeg-9b5a4a9cce3042558e107ae1ed30d9bf3d867a35.tar.gz | |
mmvideo: Make sure the rle does not write over the frame boundaries
Bug-Id: 887
CC: libav-stable@libav.org
| -rw-r--r-- | libavcodec/mmvideo.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index f8adcddd3a..0736630df7 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -99,7 +99,8 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) while (bytestream2_get_bytes_left(&s->gb) > 0) { int run_length, color; - if (y >= s->avctx->height) + // writes one more line when half_vert is true + if (y >= s->avctx->height + !!half_vert) return 0; color = bytestream2_get_byte(&s->gb); @@ -113,6 +114,9 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (half_horiz) run_length *=2; + if (s->avctx->width - x < run_length) + return AVERROR_INVALIDDATA; + if (color) { memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length); if (half_vert) |