diff options
| author | Luca Barbato <lu_zero@gentoo.org> | 2013-07-22 23:26:05 +0200 |
|---|---|---|
| committer | Luca Barbato <lu_zero@gentoo.org> | 2013-08-24 15:43:13 +0200 |
| commit | e6cf47ee9e36f249f63e7dee5f99ad8b5386eaa4 (patch) | |
| tree | 8bee5d0110fa767ec3897db1d78b71ed89ee151d | |
| parent | f8602ef7176d45521ea82176c9342e9298e119a8 (diff) | |
| download | ffmpeg-e6cf47ee9e36f249f63e7dee5f99ad8b5386eaa4.tar.gz | |
8bps: Bound-check the input buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit bd7b4da0f4627bb6c4a7c2575da83fe6b261a21c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavcodec/8bps.c
| -rw-r--r-- | libavcodec/8bps.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 8f0692c4ba..3d81810fe4 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -64,7 +64,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *pixptr, *pixptr_end; unsigned int height = avctx->height; // Real image height unsigned int dlen, p, row; - const unsigned char *lp, *dp; + const unsigned char *lp, *dp, *ep; unsigned char count; unsigned int px_inc; unsigned int planes = c->planes; @@ -80,6 +80,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, return -1; } + ep = encoded + buf_size; + /* Set data pointer after line lengths */ dp = encoded + planes * (height << 1); @@ -97,17 +99,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, for (row = 0; row < height; row++) { pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; pixptr_end = pixptr + c->pic.linesize[0]; + if (ep - lp < row * 2 + 2) + return AVERROR_INVALIDDATA; dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2)); /* Decode a row of this plane */ while (dlen > 0) { - if (dp + 1 >= buf + buf_size) + if (ep - dp <= 1) return -1; if ((count = *dp++) <= 127) { count++; dlen -= count + 1; if (pixptr + count * px_inc > pixptr_end) break; - if (dp + count > buf + buf_size) + if (ep - dp < count) return -1; while (count--) { *pixptr = *dp++; |