diff options
| author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-02-23 16:09:36 -0800 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-01 18:33:27 +0200 |
| commit | d10c22d33ce3d134025bc7fb0b2acbd58a0cef50 (patch) | |
| tree | 395fdc7d6d393c70334124106dc326c77f69ec2b | |
| parent | b1d9a808633f695aa74b5c8b59eb628bc1bea1e2 (diff) | |
| download | ffmpeg-d10c22d33ce3d134025bc7fb0b2acbd58a0cef50.tar.gz | |
lcl: error out if uncompressed input buffer is smaller than framesize.
This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
| -rw-r--r-- | libavcodec/lcldec.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index 70414d4d55..017df55da7 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac len = mszh_dlen; } break; - case COMP_MSZH_NOCOMP: + case COMP_MSZH_NOCOMP: { + int bppx2; + switch (c->imgtype) { + case IMGTYPE_YUV111: + case IMGTYPE_RGB24: + bppx2 = 6; + break; + case IMGTYPE_YUV422: + case IMGTYPE_YUV211: + bppx2 = 4; + break; + case IMGTYPE_YUV411: + case IMGTYPE_YUV420: + bppx2 = 3; + break; + default: + bppx2 = 0; // will error out below + break; + } + if (len < ((width * height * bppx2) >> 1)) + return AVERROR_INVALIDDATA; break; + } default: av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n"); return -1; |