lcldec: Check length before unsigned subtraction.

Fix integer overflow and out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-01-24 04:02:14 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-01-24 04:02:14 +0100
commit: b53ed19aa74c447ca245702e2460534509be58fa (patch)
tree: 4fe50617d9a7a1c9ba759e65633909bcf5e8e582 /libavcodec
parent: 69fb605ad5e0f1384ca4d06d38ce0f1b6c8c286d (diff)
download: ffmpeg-b53ed19aa74c447ca245702e2460534509be58fa.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
index 159e0a1401..f8d45da95a 100644
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -203,6 +203,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                 ;
             } else if (c->flags & FLAG_MULTITHREAD) {
                 mthread_inlen = AV_RL32(encoded);
+                if (len < 8) {
+                    av_log(avctx, AV_LOG_ERROR, "len %d is too small\n", len);
+                    return AVERROR_INVALIDDATA;
+                }
                 mthread_inlen = FFMIN(mthread_inlen, len - 8);
                 mthread_outlen = AV_RL32(encoded+4);
                 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);
author	Michael Niedermayer <michaelni@gmx.at>	2013-01-24 04:02:14 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-01-24 04:02:14 +0100
commit	b53ed19aa74c447ca245702e2460534509be58fa (patch)
tree	4fe50617d9a7a1c9ba759e65633909bcf5e8e582 /libavcodec
parent	69fb605ad5e0f1384ca4d06d38ce0f1b6c8c286d (diff)
download	ffmpeg-b53ed19aa74c447ca245702e2460534509be58fa.tar.gz