[FFmpeg-devel] [PATCH 2/3] pictordec: prevent segfault when reading corrupted files

Peter Ross pross at xvid.org
Thu Dec 1 09:17:16 CET 2011


---
 libavcodec/pictordec.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index 09aae72..ca3e791 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -202,13 +202,13 @@ static int decode_frame(AVCodecContext *avctx,
     y = s->height - 1;
     plane = 0;
     if (bytestream_get_le16(&buf)) {
-        while (buf_end - buf >= 6) {
+        while (y >= 0 && buf_end - buf >= 6) {
             const uint8_t *buf_pend = buf + FFMIN(AV_RL16(buf), buf_end - buf);
             //ignore uncompressed block size reported at buf[2]
             int marker = buf[4];
             buf += 5;
 
-            while (plane < s->nb_planes && buf_pend - buf >= 1) {
+            while (plane < s->nb_planes && y >= 0 && buf_pend - buf >= 1) {
                 int run = 1;
                 int val = *buf++;
                 if (val == marker) {
@@ -222,8 +222,6 @@ static int decode_frame(AVCodecContext *avctx,
 
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, val, run, &x, &y);
-                    if (y < 0)
-                        break;
                 } else {
                     picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
                 }
-- 
1.7.7.1

-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20111201/1c1bcd74/attachment.asc>


More information about the ffmpeg-devel mailing list