diff options
author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-02-23 16:09:36 -0800 |
---|---|---|
committer | Ronald S. Bultje <rsbultje@gmail.com> | 2012-02-24 07:28:57 -0800 |
commit | be129271eac04f91393bf42a490ec631e1a9abea (patch) | |
tree | d4bd45ac4cb60ad7bf64e319408504b74a80aa41 /libavcodec/lcldec.c | |
parent | ab492ca2ab105aeb24d955f3f03756bdb3139ee1 (diff) | |
download | ffmpeg-be129271eac04f91393bf42a490ec631e1a9abea.tar.gz |
lcl: error out if uncompressed input buffer is smaller than framesize.
This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec/lcldec.c')
-rw-r--r-- | libavcodec/lcldec.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c index a7f0bde23e..d3a85f7863 100644 --- a/libavcodec/lcldec.c +++ b/libavcodec/lcldec.c @@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac len = mszh_dlen; } break; - case COMP_MSZH_NOCOMP: + case COMP_MSZH_NOCOMP: { + int bppx2; + switch (c->imgtype) { + case IMGTYPE_YUV111: + case IMGTYPE_RGB24: + bppx2 = 6; + break; + case IMGTYPE_YUV422: + case IMGTYPE_YUV211: + bppx2 = 4; + break; + case IMGTYPE_YUV411: + case IMGTYPE_YUV420: + bppx2 = 3; + break; + default: + bppx2 = 0; // will error out below + break; + } + if (len < ((width * height * bppx2) >> 1)) + return AVERROR_INVALIDDATA; break; + } default: av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n"); return -1; |