[FFmpeg-cvslog] sunrast: Check for invalid/corrupted bitstream

[Laurent Aimar]

ffmpeg | branch: master | Laurent Aimar <fenrir at videolan.org> | Tue Sep 27 22:15:32 2011 +0000| [2305742b2a0fd64cccbdfe12c9e90555c8bb798e] | committer: Janne Grunau

sunrast: Check for invalid/corrupted bitstream

Signed-off-by: Janne Grunau <janne-libav at jannau.net>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2305742b2a0fd64cccbdfe12c9e90555c8bb798e
---

 libavcodec/sunrast.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c
index 9ec1df8..455619e 100644
--- a/libavcodec/sunrast.c
+++ b/libavcodec/sunrast.c
@@ -68,21 +68,25 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
     type      = AV_RB32(buf+20);
     maptype   = AV_RB32(buf+24);
     maplength = AV_RB32(buf+28);
+    buf      += 32;
 
     if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
         av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
         return -1;
     }
-    if (type > RT_FORMAT_IFF) {
+    if (type < RT_OLD || type > RT_FORMAT_IFF) {
         av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
         return -1;
     }
+    if (av_image_check_size(w, h, 0, avctx)) {
+        av_log(avctx, AV_LOG_ERROR, "invalid image size\n");
+        return -1;
+    }
     if (maptype & ~1) {
         av_log(avctx, AV_LOG_ERROR, "invalid colormap type\n");
         return -1;
     }
 
-    buf += 32;
 
     switch (depth) {
         case 1:
@@ -102,8 +106,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
     if (p->data[0])
         avctx->release_buffer(avctx, p);
 
-    if (av_image_check_size(w, h, 0, avctx))
-        return -1;
     if (w != avctx->width || h != avctx->height)
         avcodec_set_dimensions(avctx, w, h);
     if (avctx->get_buffer(avctx, p) < 0) {