diff options
| author | Baptiste Coudurier <baptiste.coudurier@gmail.com> | 2007-03-24 23:57:42 +0000 |
|---|---|---|
| committer | Baptiste Coudurier <baptiste.coudurier@gmail.com> | 2007-03-24 23:57:42 +0000 |
| commit | 7a28b7714e4503149f773782a19708c773f3d62d (patch) | |
| tree | bf17d06e5dc8be9a0524e65acaf2ec78cc9b4db2 /libavcodec/gifdec.c | |
| parent | 5f7ab90a0c2c7330d55f8389dc9cd771a644f032 (diff) | |
| download | ffmpeg-7a28b7714e4503149f773782a19708c773f3d62d.tar.gz | |
add some length checks
Originally committed as revision 8501 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/gifdec.c')
| -rw-r--r-- | libavcodec/gifdec.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 392625e98a..cd432b95d6 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -48,6 +48,7 @@ typedef struct GifState { /* LZW compatible decoder */ uint8_t *bytestream; + uint8_t *bytestream_end; LZWState *lzw; /* aux buffers */ @@ -209,6 +210,9 @@ static int gif_read_header1(GifState *s) int v, n; int has_global_palette; + if (s->bytestream_end < s->bytestream + 13) + return -1; + /* read gif signature */ bytestream_get_buffer(&s->bytestream, sig, 6); if (memcmp(sig, gif87a_sig, 6) != 0 && @@ -238,6 +242,8 @@ static int gif_read_header1(GifState *s) #endif if (has_global_palette) { n = 1 << s->bits_per_pixel; + if (s->bytestream_end < s->bytestream + n * 3) + return -1; bytestream_get_buffer(&s->bytestream, s->global_palette, n * 3); } return 0; @@ -245,7 +251,7 @@ static int gif_read_header1(GifState *s) static int gif_parse_next_image(GifState *s) { - for (;;) { + while (s->bytestream < s->bytestream_end) { int code = bytestream_get_byte(&s->bytestream); #ifdef DEBUG dprintf(s->avctx, "gif: code=%02x '%c'\n", code, code); @@ -289,6 +295,7 @@ static int gif_decode_frame(AVCodecContext *avctx, void *data, int *data_size, u int ret; s->bytestream = buf; + s->bytestream_end = buf + buf_size; if (gif_read_header1(s) < 0) return -1; |