[FFmpeg-devel] [PATCH 2/3] pictordec: prevent segfault when reading corrupted files
Peter Ross
pross at xvid.org
Thu Dec 1 09:17:16 CET 2011
---
libavcodec/pictordec.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index 09aae72..ca3e791 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -202,13 +202,13 @@ static int decode_frame(AVCodecContext *avctx,
y = s->height - 1;
plane = 0;
if (bytestream_get_le16(&buf)) {
- while (buf_end - buf >= 6) {
+ while (y >= 0 && buf_end - buf >= 6) {
const uint8_t *buf_pend = buf + FFMIN(AV_RL16(buf), buf_end - buf);
//ignore uncompressed block size reported at buf[2]
int marker = buf[4];
buf += 5;
- while (plane < s->nb_planes && buf_pend - buf >= 1) {
+ while (plane < s->nb_planes && y >= 0 && buf_pend - buf >= 1) {
int run = 1;
int val = *buf++;
if (val == marker) {
@@ -222,8 +222,6 @@ static int decode_frame(AVCodecContext *avctx,
if (bits_per_plane == 8) {
picmemset_8bpp(s, val, run, &x, &y);
- if (y < 0)
- break;
} else {
picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
}
--
1.7.7.1
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20111201/1c1bcd74/attachment.asc>
More information about the ffmpeg-devel
mailing list