diff options
| author | Martin Storsjö <martin@martin.st> | 2013-09-29 00:59:50 +0300 |
|---|---|---|
| committer | Martin Storsjö <martin@martin.st> | 2013-09-29 20:02:19 +0300 |
| commit | fc739b3eefa0b58d64e7661621da94a94dbc8a82 (patch) | |
| tree | 7b7b0c9eeffc872f72d50c3985d1ba7b7b3a9a6c | |
| parent | 30db94dc399f6e4ef8905049d9b740556f0fce47 (diff) | |
| download | ffmpeg-fc739b3eefa0b58d64e7661621da94a94dbc8a82.tar.gz | |
xan: Only read within the data that actually was initialized
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
| -rw-r--r-- | libavcodec/xan.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 2bdced736c..8a33e79d50 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -103,6 +103,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; + unsigned char *dest_start = dest; GetBitContext gb; if (ptr_len < 0) @@ -118,13 +119,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, if (val < 0x16) { if (dest >= dest_end) - return 0; + return dest_len; *dest++ = val; val = ival; } } - return 0; + return dest - dest_start; } /** @@ -278,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) unsigned char flag = 0; int size = 0; int motion_x, motion_y; - int x, y; + int x, y, ret; unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; @@ -312,9 +313,10 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); imagedata_segment = s->buf + imagedata_offset; - if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - huffman_offset) < 0) + if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset)) < 0) return AVERROR_INVALIDDATA; + opcode_buffer_end = opcode_buffer + ret; if (imagedata_segment[0] == 2) { xan_unpack(s->buffer2, s->buffer2_size, |