[FFmpeg-cvslog] 8bps: check index against buffer size before reading line length pointer.

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Wed Nov 14 03:33:06 2012 +0100| [66ff90f4a3d81c25feaa672dc8cc9cc88017753d] | committer: Michael Niedermayer

8bps: check index against buffer size before reading line length pointer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=66ff90f4a3d81c25feaa672dc8cc9cc88017753d
---

 libavcodec/8bps.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index a6d0a1b..f895ed3 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -98,6 +98,8 @@ static int decode_frame(AVCodecContext *avctx, void *data,
         for (row = 0; row < height; row++) {
             pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
             pixptr_end = pixptr + c->pic.linesize[0];
+            if(lp - encoded + row*2 + 1 >= buf_size)
+                return -1;
             dlen = av_be2ne16(*(const unsigned short *)(lp + row * 2));
             /* Decode a row of this plane */
             while (dlen > 0) {