1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-21 10:55:51 +02:00

msrledec: Check for overreads

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2011-12-13 15:45:43 +01:00
parent be5db7004f
commit 53be37e368
2 changed files with 6 additions and 2 deletions

View File

@ -140,7 +140,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0]; output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
output_end = pic->data[0] + avctx->height * pic->linesize[0]; output_end = pic->data[0] + avctx->height * pic->linesize[0];
while(src < data + srcsize) { while(src + 1 < data + srcsize) {
p1 = *src++; p1 = *src++;
if(p1 == 0) { //Escape code if(p1 == 0) { //Escape code
p2 = *src++; p2 = *src++;
@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
src += p2 * (depth >> 3); src += p2 * (depth >> 3);
continue; continue;
} }
if(data + srcsize - src < p2 * (depth >> 3)){
av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
return -1;
}
if ((depth == 8) || (depth == 24)) { if ((depth == 8) || (depth == 24)) {
for(i = 0; i < p2 * (depth >> 3); i++) { for(i = 0; i < p2 * (depth >> 3); i++) {
*output++ = *src++; *output++ = *src++;

View File

@ -21,4 +21,4 @@
0, 72000, 168000, 0x646fa087 0, 72000, 168000, 0x646fa087
0, 75600, 168000, 0x404450a2 0, 75600, 168000, 0x404450a2
0, 79200, 168000, 0x5214c456 0, 79200, 168000, 0x5214c456
0, 82800, 168000, 0xe573025c 0, 82800, 168000, 0xaef602d3