rpza: error out on buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-28 17:04:33 -0800
committer: Reinhard Tartler <siretart@tauware.de> 2012-04-01 18:33:27 +0200
commit: e15d137ecfa9e78797e7f25b5aa32834f00f2559 (patch)
tree: 977cd9feb0829debfd5c8f2239dcdb65e2818330
parent: 87a1169ab85d4232daff457b16c2fac9280fe608 (diff)
download: ffmpeg-e15d137ecfa9e78797e7f25b5aa32834f00f2559.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 958f103865..d1803fccc5 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s)
             color4[1] |= ((11 * ta + 21 * tb) >> 5);
             color4[2] |= ((21 * ta + 11 * tb) >> 5);
 
+            if (s->size - stream_ptr < n_blocks * 4)
+                return;
             while (n_blocks--) {
                 block_ptr = row_ptr + pixel_ptr;
                 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
@@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s)
 
         /* Fill block with 16 colors */
         case 0x00:
+            if (s->size - stream_ptr < 16)
+                return;
             block_ptr = row_ptr + pixel_ptr;
             for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                 for (pixel_x = 0; pixel_x < 4; pixel_x++){
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-28 17:04:33 -0800
committer	Reinhard Tartler <siretart@tauware.de>	2012-04-01 18:33:27 +0200
commit	e15d137ecfa9e78797e7f25b5aa32834f00f2559 (patch)
tree	977cd9feb0829debfd5c8f2239dcdb65e2818330
parent	87a1169ab85d4232daff457b16c2fac9280fe608 (diff)
download	ffmpeg-e15d137ecfa9e78797e7f25b5aa32834f00f2559.tar.gz