msrledec: Check for overreads

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 53be37e368)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2011-12-13 15:45:43 +01:00
parent b4ad641334
commit 0a2fbb0a84
2 changed files with 6 additions and 2 deletions

View File

@ -140,7 +140,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
output_end = pic->data[0] + avctx->height * pic->linesize[0];
while(src < data + srcsize) {
while(src + 1 < data + srcsize) {
p1 = *src++;
if(p1 == 0) { //Escape code
p2 = *src++;
@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
src += p2 * (depth >> 3);
continue;
}
if(data + srcsize - src < p2 * (depth >> 3)){
av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
return -1;
}
if ((depth == 8) || (depth == 24)) {
for(i = 0; i < p2 * (depth >> 3); i++) {
*output++ = *src++;

View File

@ -21,4 +21,4 @@
0, 72000, 168000, 0x646fa087
0, 75600, 168000, 0x404450a2
0, 79200, 168000, 0x5214c456
0, 82800, 168000, 0xe573025c
0, 82800, 168000, 0xaef602d3