8bps: Bound-check the input buffer

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit bd7b4da0f4627bb6c4a7c2575da83fe6b261a21c) Signed-off-by: Luca Barbato <lu_zero@gentoo.org> Conflicts: libavcodec/8bps.c
author: Luca Barbato <lu_zero@gentoo.org> 2013-07-22 23:26:05 +0200
committer: Luca Barbato <lu_zero@gentoo.org> 2013-10-16 23:05:50 +0200
commit: 5312fb828751109798780f4e17d5f77dfd3d5398 (patch)
tree: f38f4709de213d0d09e533e667a2eb82dcf4b67e /libavcodec
parent: a9ebc17b2dd5518730213c672dce714a7a50d8ca (diff)
download: ffmpeg-5312fb828751109798780f4e17d5f77dfd3d5398.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index de8dd8ee84..b54c804d1c 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -69,7 +69,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         unsigned char *pixptr, *pixptr_end;
         unsigned int height = avctx->height; // Real image height
         unsigned int dlen, p, row;
-        const unsigned char *lp, *dp;
+        const unsigned char *lp, *dp, *ep;
         unsigned char count;
         unsigned int px_inc;
         unsigned int planes = c->planes;
@@ -85,6 +85,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                 return -1;
         }
 
+        ep = encoded + buf_size;
+
         /* Set data pointer after line lengths */
         dp = encoded + planes * (height << 1);
 
@@ -102,16 +104,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
                 for(row = 0; row < height; row++) {
                         pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
                         pixptr_end = pixptr + c->pic.linesize[0];
+                        if (ep - lp < row * 2 + 2)
+                            return AVERROR_INVALIDDATA;
                         dlen = av_be2ne16(*(const unsigned short *)(lp+row*2));
                         /* Decode a row of this plane */
                         while(dlen > 0) {
-                                if(dp + 1 >= buf+buf_size) return -1;
+                                if(ep - dp <= 1) return -1;
                                 if ((count = *dp++) <= 127) {
                                         count++;
                                         dlen -= count + 1;
                                         if (pixptr + count * px_inc > pixptr_end)
                                             break;
-                                        if(dp + count > buf+buf_size) return -1;
+                                        if(ep - dp < count) return -1;
                                         while(count--) {
                                                 *pixptr = *dp++;
                                                 pixptr += px_inc;
author	Luca Barbato <lu_zero@gentoo.org>	2013-07-22 23:26:05 +0200
committer	Luca Barbato <lu_zero@gentoo.org>	2013-10-16 23:05:50 +0200
commit	5312fb828751109798780f4e17d5f77dfd3d5398 (patch)
tree	f38f4709de213d0d09e533e667a2eb82dcf4b67e /libavcodec
parent	a9ebc17b2dd5518730213c672dce714a7a50d8ca (diff)
download	ffmpeg-5312fb828751109798780f4e17d5f77dfd3d5398.tar.gz