lagarith: check count before writing zeros.

Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Michael Niedermayer <michaelni@gmx.at> 2012-04-14 18:28:31 +0200
committer: Anton Khirnov <anton@khirnov.net> 2012-09-29 09:28:32 +0200
commit: b631e4ed64f7d1b9ca8f897fda31140e8d1fad81 (patch)
tree: 1311faf390c65ecb29a81370d88e11a531e0feab /libavcodec/lagarith.c
parent: 99f392a584dd10b553facc8e819f2c7e982e176d (diff)
download: ffmpeg-b631e4ed64f7d1b9ca8f897fda31140e8d1fad81.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index e365610410..a34c28941b 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -361,6 +361,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
 output_zeros:
     if (l->zeros_rem) {
         count = FFMIN(l->zeros_rem, width - i);
+        if (end - dst < count) {
+            av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         memset(dst, 0, count);
         l->zeros_rem -= count;
         dst += count;
author	Michael Niedermayer <michaelni@gmx.at>	2012-04-14 18:28:31 +0200
committer	Anton Khirnov <anton@khirnov.net>	2012-09-29 09:28:32 +0200
commit	b631e4ed64f7d1b9ca8f897fda31140e8d1fad81 (patch)
tree	1311faf390c65ecb29a81370d88e11a531e0feab /libavcodec/lagarith.c
parent	99f392a584dd10b553facc8e819f2c7e982e176d (diff)
download	ffmpeg-b631e4ed64f7d1b9ca8f897fda31140e8d1fad81.tar.gz