virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-24 13:56:33 +02:00
Code Issues Releases Activity

dsicinav: Check for overread in RLE decode.

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-04-16 16:44:12 +02:00
parent 71d3c25a7e
commit 47f0beadba
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/dsicinav.c
View File

@ -179,24 +179,29 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char
return 0; return 0;
} }
static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) static int cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
{ {
int len, code; int len, code;
unsigned char *dst_end = dst + dst_size; unsigned char *dst_end = dst + dst_size;
const unsigned char *src_end = src + src_size; const unsigned char *src_end = src + src_size;
while (src < src_end && dst < dst_end) { while (src + 1 < src_end && dst < dst_end) {
code = *src++; code = *src++;
if (code & 0x80) { if (code & 0x80) {
len = code - 0x7F; len = code - 0x7F;
memset(dst, *src++, FFMIN(len, dst_end - dst)); memset(dst, *src++, FFMIN(len, dst_end - dst));
} else { } else {
len = code + 1; len = code + 1;
if (len > src_end-src) {
av_log(0, AV_LOG_ERROR, "RLE overread\n");
return AVERROR_INVALIDDATA;
}
memcpy(dst, src, FFMIN(len, dst_end - dst)); memcpy(dst, src, FFMIN(len, dst_end - dst));
src += len; src += len;
} }
dst += len; dst += len;
} }
return 0;
} }
static int cinvideo_decode_frame(AVCodecContext *avctx, static int cinvideo_decode_frame(AVCodecContext *avctx,