From 742978310101b435c57e7f0adaa8ab6d345d8eb7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 2 Nov 2010 01:19:12 +0000 Subject: [PATCH] Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32(). Issue has been reported to me by Gynvael Coldwind Originally committed as revision 25632 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/msrledec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index d3d3601756..098e7d857a 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -136,6 +136,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de int p1, p2, line=avctx->height - 1, pos=0, i; uint16_t av_uninit(pix16); uint32_t av_uninit(pix32); + unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3); output = pic->data[0] + (avctx->height - 1) * pic->linesize[0]; output_end = pic->data[0] + (avctx->height) * pic->linesize[0]; @@ -157,11 +158,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de p1 = *src++; p2 = *src++; line -= p2; - if (line < 0){ + pos += p1; + if (line < 0 || pos >= width){ av_log(avctx, AV_LOG_ERROR, "Skip beyond picture bounds\n"); return -1; } - pos += p1; output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3); continue; }