aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorDaniel Kang <daniel.d.kang@gmail.com>2011-01-07 19:55:22 +0000
committerCarl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>2011-01-07 19:55:22 +0000
commitfea714ecd9de557054b2540119f6b5635ba0e636 (patch)
treee5f1b77fbe6aedf4014311ad9b50b3e0e77bb2a0 /libavcodec
parent10d8eac98dba2c5652d74df478f0f8dc8f3f57f3 (diff)
downloadffmpeg-fea714ecd9de557054b2540119f6b5635ba0e636.tar.gz
Do not overread input buffer.
Fixes issue 2503. Patch by Daniel Kang, daniel.d.kang at gmail Originally committed as revision 26256 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/dpx.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index f92b3d0e31..e49c969c6f 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -55,6 +55,7 @@ static int decode_frame(AVCodecContext *avctx,
AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size;
DPXContext *const s = avctx->priv_data;
AVFrame *picture = data;
@@ -172,6 +173,10 @@ static int decode_frame(AVCodecContext *avctx,
case 8:
case 12: // Treat 12-bit as 16-bit
case 16:
+ if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
+ av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+ return -1;
+ }
if (source_packet_size == target_packet_size) {
for (x = 0; x < avctx->height; x++) {
memcpy(ptr, buf, target_packet_size*avctx->width);