qpeg: fix overreads.

qpeg should probably be changed to use the checked bytestream reader.
But for now this fixes it and is significantly less work.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 9 insertions, 6 deletions

diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c
index f2dba732bc..2d5ae690ca 100644
--- a/libavcodec/qpeg.c
+++ b/libavcodec/qpeg.c
@@ -143,7 +143,7 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
 
         if(delta) {
             /* motion compensation */
-            while((code & 0xF0) == 0xF0) {
+            while(size > 0 && (code & 0xF0) == 0xF0) {
                 if(delta == 1) {
                     int me_idx;
                     int me_w, me_h, me_x, me_y;
@@ -210,6 +210,9 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
         } else if(code >= 0xC0) { /* copy code: 0xC0..0xDF */
             code &= 0x1F;
 
+            if(code + 1 > size)
+                break;
+
             for(i = 0; i <= code; i++) {
                 dst[filled++] = *src++;
                 if(filled >= width) {
@@ -227,11 +230,11 @@ static void qpeg_decode_inter(const uint8_t *src, uint8_t *dst, int size,
             code &= 0x3F;
             /* codes 0x80 and 0x81 are actually escape codes,
                skip value minus constant is in the next byte */
-            if(!code)
-                skip = (*src++) + 64;
-            else if(code == 1)
-                skip = (*src++) + 320;
-            else
+            if(!code) {
+                skip = (*src++) + 64; size--;
+            } else if(code == 1) {
+                skip = (*src++) + 320; size--;
+            } else
                 skip = code;
             filled += skip;
             while( filled >= width) {