diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-03-04 06:25:06 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-03-04 06:25:06 +0100 |
| commit | 39a3a53b66fcc115bd8d0bc0a70db66791eab854 (patch) | |
| tree | e949584639c0426f5366cedd48c0986b7ce179e2 /libavcodec | |
| parent | 337fa0dbe7b12977ba11d0ba0e6088daa6917453 (diff) | |
| download | ffmpeg-39a3a53b66fcc115bd8d0bc0a70db66791eab854.tar.gz | |
pngdec: validate length.
Fixes out of array reading.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/pngdec.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 39afbdd045..55df8b0a57 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -427,7 +427,7 @@ static int decode_frame(AVCodecContext *avctx, if (s->bytestream >= s->bytestream_end) goto fail; length = bytestream_get_be32(&s->bytestream); - if (length > 0x7fffffff) + if (length > 0x7fffffff || length > s->bytestream_end - s->bytestream) goto fail; tag32 = bytestream_get_be32(&s->bytestream); tag = av_bswap32(tag32); |