diff options
| author | Anton Khirnov <anton@khirnov.net> | 2013-11-28 10:54:35 +0100 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2014-02-14 11:43:59 +0100 |
| commit | cf676c159b810d5126924aeab9abc8f8271881e0 (patch) | |
| tree | 281cc191ef1ccb3c5f7a627fe926fd599b0d64af | |
| parent | 36017d49e2f797f7371dc24848a2285ca63e39ab (diff) | |
| download | ffmpeg-cf676c159b810d5126924aeab9abc8f8271881e0.tar.gz | |
rpza: limit the number of blocks to the total remaining blocks in the frame
Fixes invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavcodec/rpza.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index c0cea865df..31d199c083 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -38,6 +38,7 @@ #include <stdlib.h> #include <string.h> +#include "libavutil/common.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -125,6 +126,8 @@ static void rpza_decode_stream(RpzaContext *s) } } + n_blocks = FFMIN(n_blocks, total_blocks); + switch (opcode & 0xe0) { /* Skip blocks */ |