mirror of https://git.ffmpeg.org/ffmpeg.git
msrledec: Check for overreads
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 53be37e368
)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
b4ad641334
commit
0a2fbb0a84
|
@ -140,7 +140,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
|
|||
|
||||
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
|
||||
output_end = pic->data[0] + avctx->height * pic->linesize[0];
|
||||
while(src < data + srcsize) {
|
||||
while(src + 1 < data + srcsize) {
|
||||
p1 = *src++;
|
||||
if(p1 == 0) { //Escape code
|
||||
p2 = *src++;
|
||||
|
@ -172,6 +172,10 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
|
|||
src += p2 * (depth >> 3);
|
||||
continue;
|
||||
}
|
||||
if(data + srcsize - src < p2 * (depth >> 3)){
|
||||
av_log(avctx, AV_LOG_ERROR, "Copy beyond input buffer\n");
|
||||
return -1;
|
||||
}
|
||||
if ((depth == 8) || (depth == 24)) {
|
||||
for(i = 0; i < p2 * (depth >> 3); i++) {
|
||||
*output++ = *src++;
|
||||
|
|
|
@ -21,4 +21,4 @@
|
|||
0, 72000, 168000, 0x646fa087
|
||||
0, 75600, 168000, 0x404450a2
|
||||
0, 79200, 168000, 0x5214c456
|
||||
0, 82800, 168000, 0xe573025c
|
||||
0, 82800, 168000, 0xaef602d3
|
||||
|
|
Loading…
Reference in New Issue