diff options
author | Laurent Aimar <fenrir@videolan.org> | 2011-09-27 23:43:53 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2011-09-28 00:24:51 +0200 |
commit | 039f3c33fffd2f4ae376b662ea4ec67c1d6a4c04 (patch) | |
tree | c787b18ea24fedac634492dfe22376113ec3eb88 /libavcodec | |
parent | 61930119cbff7572ebe7ade6cd9268becbec37f4 (diff) | |
download | ffmpeg-039f3c33fffd2f4ae376b662ea4ec67c1d6a4c04.tar.gz |
Check for out of bounds reads in sun rasterfile decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/sunrast.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 58bd2a2ab8..57b073428b 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -46,6 +46,7 @@ static av_cold int sunrast_init(AVCodecContext *avctx) { static int sunrast_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; SUNRASTContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -53,6 +54,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *ptr; const uint8_t *bufstart = buf; + if (avpkt->size < 32) + return AVERROR_INVALIDDATA; + if (AV_RB32(buf) != 0x59a66a95) { av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n"); return -1; @@ -109,6 +113,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, p->pict_type = AV_PICTURE_TYPE_I; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if (depth != 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); @@ -143,8 +150,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *end = ptr + h*stride; x = 0; - while (ptr != end) { + while (ptr != end && buf < buf_end) { run = 1; + if (buf_end - buf < 1) + return AVERROR_INVALIDDATA; + if ((value = *buf++) == 0x80) { run = *buf++ + 1; if (run != 1) @@ -163,6 +173,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y=0; y<h; y++) { + if (buf_end - buf < len) + break; memcpy(ptr, buf, len); ptr += stride; buf += alen; |