[FFmpeg-cvslog] avcodec/pnm: Check that the header is not truncated

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sat Dec 14 19:19:57 2019 +0100| [758119ca41f049a916b2c37daed2950102b150c9] | committer: Michael Niedermayer

avcodec/pnm: Check that the header is not truncated

Fixes: Ticket8430

Reviewed-by: Paul B Mahol <onemda at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit c94cb8d9b21baeeecef962c72965dbedc4e0b0e1)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=758119ca41f049a916b2c37daed2950102b150c9
---

 libavcodec/pnm.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c
index 8b4a4ac292..947360021e 100644
--- a/libavcodec/pnm.c
+++ b/libavcodec/pnm.c
@@ -108,6 +108,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
                 return AVERROR_INVALIDDATA;
             }
         }
+        if (!pnm_space(s->bytestream[-1]))
+            return AVERROR_INVALIDDATA;
+
         /* check that all tags are present */
         if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
             return AVERROR_INVALIDDATA;
@@ -187,6 +190,10 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
         }
     }else
         s->maxval=1;
+
+    if (!pnm_space(s->bytestream[-1]))
+        return AVERROR_INVALIDDATA;
+
     /* more check if YUV420 */
     if (av_pix_fmt_desc_get(avctx->pix_fmt)->flags & AV_PIX_FMT_FLAG_PLANAR) {
         if ((avctx->width & 1) != 0)