[FFmpeg-cvslog] paf: prevent invalid write

Paul B Mahol git at videolan.org
Mon Aug 13 14:31:37 CEST 2012


ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Mon Aug 13 12:26:38 2012 +0000| [bd70a527129a1c049a8ab38236bf87f7d459df10] | committer: Paul B Mahol

paf: prevent invalid write

Closes #1631.

Signed-off-by: Paul B Mahol <onemda at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd70a527129a1c049a8ab38236bf87f7d459df10
---

 libavcodec/paf.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/paf.c b/libavcodec/paf.c
index 8b3c46f..1c3e8b8 100644
--- a/libavcodec/paf.c
+++ b/libavcodec/paf.c
@@ -164,14 +164,16 @@ static int decode_0(AVCodecContext *avctx, uint8_t code, uint8_t *pkt)
         } while (--i);
     }
 
-    dst = c->frame[c->current_frame];
+    dst  = c->frame[c->current_frame];
+    dend = c->frame[c->current_frame] + c->frame_size;
     do {
         a    = bytestream2_get_byte(&c->gb);
         b    = bytestream2_get_byte(&c->gb);
         p    = (a & 0xC0) >> 6;
         src  = c->frame[p] + get_video_page_offset(avctx, a, b);
         send = c->frame[p] + c->frame_size;
-        if (src + 3 * avctx->width + 4 > send)
+        if ((src + 3 * avctx->width + 4 > send) ||
+            (dst + 3 * avctx->width + 4 > dend))
             return AVERROR_INVALIDDATA;
         copy_block4(dst, src, avctx->width, avctx->width, 4);
         i++;



More information about the ffmpeg-cvslog mailing list