[FFmpeg-cvslog] msrledec: Check for overreads
Michael Niedermayer
git at videolan.org
Tue Dec 13 19:30:47 CET 2011
ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Tue Dec 13 15:45:43 2011 +0100| [53be37e368928e7f274e33ef8d118109da373c79] | committer: Michael Niedermayer
msrledec: Check for overreads
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=53be37e368928e7f274e33ef8d118109da373c79
---
libavcodec/msrledec.c | 6 +++++-
tests/ref/fate/aasc | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
index db8de70..129f0e0 100644
--- a/libavcodec/msrledec.c
+++ b/libavcodec/msrledec.c
@@ -140,7 +140,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
output_end = pic->data[0] + avctx->height * pic->linesize[0];
- while(src < data + srcsize) {
+ while(src + 1 < data + srcsize) {
p1 = *src++;
if(p1 == 0) { //Escape code
p2 = *src++;
@@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
src += p2 * (depth >> 3);
continue;
}
+ if(data + srcsize - src < p2 * (depth >> 3)){
+ av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
+ return -1;
+ }
if ((depth == 8) || (depth == 24)) {
for(i = 0; i < p2 * (depth >> 3); i++) {
*output++ = *src++;
diff --git a/tests/ref/fate/aasc b/tests/ref/fate/aasc
index 07b3269..5da230f 100644
--- a/tests/ref/fate/aasc
+++ b/tests/ref/fate/aasc
@@ -21,4 +21,4 @@
0, 72000, 168000, 0x646fa087
0, 75600, 168000, 0x404450a2
0, 79200, 168000, 0x5214c456
-0, 82800, 168000, 0xe573025c
+0, 82800, 168000, 0xaef602d3
More information about the ffmpeg-cvslog
mailing list