cdgraphics: Fix out of array write

Fixes Ticket1359 Found-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-05-28 16:50:15 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2012-06-09 20:37:27 +0200
commit: a4b329d6228ecad76299523cdbee16f37a8ca98b (patch)
tree: 24359d6079f15c047839cf57103db04fa1ef9203
parent: eefd6bbee90a13fcb9c6fe7ab4f679c82381799c (diff)
download: ffmpeg-a4b329d6228ecad76299523cdbee16f37a8ca98b.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index b87ca1d2c3..1bba406478 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
         return AVERROR(EINVAL);
     }
+    if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+        return AVERROR(EINVAL);
+    }
 
     ret = avctx->reget_buffer(avctx, &cc->frame);
     if (ret) {
author	Michael Niedermayer <michaelni@gmx.at>	2012-05-28 16:50:15 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2012-06-09 20:37:27 +0200
commit	a4b329d6228ecad76299523cdbee16f37a8ca98b (patch)
tree	24359d6079f15c047839cf57103db04fa1ef9203
parent	eefd6bbee90a13fcb9c6fe7ab4f679c82381799c (diff)
download	ffmpeg-a4b329d6228ecad76299523cdbee16f37a8ca98b.tar.gz