diff options
| author | Anton Khirnov <anton@khirnov.net> | 2013-11-28 10:54:35 +0100 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2014-02-14 11:31:35 +0100 |
| commit | d2a065437a96b5ab73f15362fe3d5cde3c61f160 (patch) | |
| tree | e58bd6c8791b6d6ddba0617ee3f52c862348aa5a | |
| parent | 27f60e2b0b419066619c738b3c9b9376a83ed4b1 (diff) | |
| download | ffmpeg-d2a065437a96b5ab73f15362fe3d5cde3c61f160.tar.gz | |
rpza: limit the number of blocks to the total remaining blocks in the frame
Fixes invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
| -rw-r--r-- | libavcodec/rpza.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 59b15c6d4f..63ea706749 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -38,6 +38,7 @@ #include <stdlib.h> #include <string.h> +#include "libavutil/common.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -126,6 +127,8 @@ static void rpza_decode_stream(RpzaContext *s) } } + n_blocks = FFMIN(n_blocks, total_blocks); + switch (opcode & 0xe0) { /* Skip blocks */ |