[Ffmpeg-cvslog] r8501 - trunk/libavcodec/gifdec.c
bcoudurier
subversion
Sun Mar 25 00:57:42 CET 2007
Author: bcoudurier
Date: Sun Mar 25 00:57:42 2007
New Revision: 8501
Modified:
trunk/libavcodec/gifdec.c
Log:
add some length checks
Modified: trunk/libavcodec/gifdec.c
==============================================================================
--- trunk/libavcodec/gifdec.c (original)
+++ trunk/libavcodec/gifdec.c Sun Mar 25 00:57:42 2007
@@ -48,6 +48,7 @@ typedef struct GifState {
/* LZW compatible decoder */
uint8_t *bytestream;
+ uint8_t *bytestream_end;
LZWState *lzw;
/* aux buffers */
@@ -209,6 +210,9 @@ static int gif_read_header1(GifState *s)
int v, n;
int has_global_palette;
+ if (s->bytestream_end < s->bytestream + 13)
+ return -1;
+
/* read gif signature */
bytestream_get_buffer(&s->bytestream, sig, 6);
if (memcmp(sig, gif87a_sig, 6) != 0 &&
@@ -238,6 +242,8 @@ static int gif_read_header1(GifState *s)
#endif
if (has_global_palette) {
n = 1 << s->bits_per_pixel;
+ if (s->bytestream_end < s->bytestream + n * 3)
+ return -1;
bytestream_get_buffer(&s->bytestream, s->global_palette, n * 3);
}
return 0;
@@ -245,7 +251,7 @@ static int gif_read_header1(GifState *s)
static int gif_parse_next_image(GifState *s)
{
- for (;;) {
+ while (s->bytestream < s->bytestream_end) {
int code = bytestream_get_byte(&s->bytestream);
#ifdef DEBUG
dprintf(s->avctx, "gif: code=%02x '%c'\n", code, code);
@@ -289,6 +295,7 @@ static int gif_decode_frame(AVCodecConte
int ret;
s->bytestream = buf;
+ s->bytestream_end = buf + buf_size;
if (gif_read_header1(s) < 0)
return -1;
More information about the ffmpeg-cvslog
mailing list