mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-11-21 10:55:51 +02:00
msrledec: Check for overreads
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
be5db7004f
commit
53be37e368
@ -140,7 +140,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
|
|||||||
|
|
||||||
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
|
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
|
||||||
output_end = pic->data[0] + avctx->height * pic->linesize[0];
|
output_end = pic->data[0] + avctx->height * pic->linesize[0];
|
||||||
while(src < data + srcsize) {
|
while(src + 1 < data + srcsize) {
|
||||||
p1 = *src++;
|
p1 = *src++;
|
||||||
if(p1 == 0) { //Escape code
|
if(p1 == 0) { //Escape code
|
||||||
p2 = *src++;
|
p2 = *src++;
|
||||||
@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
|
|||||||
src += p2 * (depth >> 3);
|
src += p2 * (depth >> 3);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
if(data + srcsize - src < p2 * (depth >> 3)){
|
||||||
|
av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
if ((depth == 8) || (depth == 24)) {
|
if ((depth == 8) || (depth == 24)) {
|
||||||
for(i = 0; i < p2 * (depth >> 3); i++) {
|
for(i = 0; i < p2 * (depth >> 3); i++) {
|
||||||
*output++ = *src++;
|
*output++ = *src++;
|
||||||
|
@ -21,4 +21,4 @@
|
|||||||
0, 72000, 168000, 0x646fa087
|
0, 72000, 168000, 0x646fa087
|
||||||
0, 75600, 168000, 0x404450a2
|
0, 75600, 168000, 0x404450a2
|
||||||
0, 79200, 168000, 0x5214c456
|
0, 79200, 168000, 0x5214c456
|
||||||
0, 82800, 168000, 0xe573025c
|
0, 82800, 168000, 0xaef602d3
|
||||||
|
Loading…
Reference in New Issue
Block a user