aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/msrledec.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-12-13 15:45:43 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-01-03 17:51:52 +0100
commit0a2fbb0a8435e0d29bf5067cb13344e1d6e11939 (patch)
tree81be6aad4d705e85fde9cd7e79c2c2ffad1b2b84 /libavcodec/msrledec.c
parentb4ad6413349c88833a7e48af68283fcf04f9433b (diff)
downloadffmpeg-0a2fbb0a8435e0d29bf5067cb13344e1d6e11939.tar.gz
msrledec: Check for overreads
Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 53be37e368928e7f274e33ef8d118109da373c79) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/msrledec.c')
-rw-r--r--libavcodec/msrledec.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
index db8de7032d..129f0e0bc0 100644
--- a/libavcodec/msrledec.c
+++ b/libavcodec/msrledec.c
@@ -140,7 +140,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
output_end = pic->data[0] + avctx->height * pic->linesize[0];
- while(src < data + srcsize) {
+ while(src + 1 < data + srcsize) {
p1 = *src++;
if(p1 == 0) { //Escape code
p2 = *src++;
@@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
src += p2 * (depth >> 3);
continue;
}
+ if(data + srcsize - src < p2 * (depth >> 3)){
+ av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
+ return -1;
+ }
if ((depth == 8) || (depth == 24)) {
for(i = 0; i < p2 * (depth >> 3); i++) {
*output++ = *src++;