diff options
| author | Laurent Aimar <fenrir@videolan.org> | 2011-09-27 23:43:53 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-10-01 20:44:35 +0200 |
| commit | 23197f546762e906837fb3293ce8243852b294dd (patch) | |
| tree | 765b9c562f9463635d2120cf7434d27f665c7036 /libavcodec | |
| parent | 0a5e269f03cc812d0309ebe9c4ba5053a804635a (diff) | |
| download | ffmpeg-23197f546762e906837fb3293ce8243852b294dd.tar.gz | |
Check for out of bounds reads in sun rasterfile decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 039f3c33fffd2f4ae376b662ea4ec67c1d6a4c04)
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/sunrast.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c index 558b0edd8f..7ab8e2c3f6 100644 --- a/libavcodec/sunrast.c +++ b/libavcodec/sunrast.c @@ -46,6 +46,7 @@ static av_cold int sunrast_init(AVCodecContext *avctx) { static int sunrast_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; SUNRASTContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -53,6 +54,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *ptr; const uint8_t *bufstart = buf; + if (avpkt->size < 32) + return AVERROR_INVALIDDATA; + if (AV_RB32(buf) != 0x59a66a95) { av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n"); return -1; @@ -109,6 +113,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, p->pict_type = AV_PICTURE_TYPE_I; + if (buf_end - buf < maplength) + return AVERROR_INVALIDDATA; + if (depth != 8 && maplength) { av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n"); @@ -143,8 +150,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, uint8_t *end = ptr + h*stride; x = 0; - while (ptr != end) { + while (ptr != end && buf < buf_end) { run = 1; + if (buf_end - buf < 1) + return AVERROR_INVALIDDATA; + if ((value = *buf++) == 0x80) { run = *buf++ + 1; if (run != 1) @@ -163,6 +173,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, } } else { for (y=0; y<h; y++) { + if (buf_end - buf < len) + break; memcpy(ptr, buf, len); ptr += stride; buf += alen; |