RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-02-18 04:47:12 +00:00
Code Issues Projects Releases Wiki Activity

roqvideodec: Improve checking of input buffer bounds.

Browse Source 
Fixes trac issue #408.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
This commit is contained in:
Reimar Döffinger 2011-08-20 13:13:01 +02:00
parent ff96098084
commit 18de79692c
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/roqvideodec.c
View File

@ -71,9 +71,17 @@ static void roqvideo_decode_frame(RoqContext *ri)
} }
bpos = xpos = ypos = 0; bpos = xpos = ypos = 0;
if (chunk_size > buf_end - buf) {
av_log(ri->avctx, AV_LOG_ERROR, "Chunk does not fit in input buffer\n");
chunk_size = buf_end - buf;
}
while(bpos < chunk_size) { while(bpos < chunk_size) {
for (yp = ypos; yp < ypos + 16; yp += 8) for (yp = ypos; yp < ypos + 16; yp += 8)
for (xp = xpos; xp < xpos + 16; xp += 8) { for (xp = xpos; xp < xpos + 16; xp += 8) {
if (bpos >= chunk_size) {
av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
return;
}
if (vqflg_pos < 0) { if (vqflg_pos < 0) {
vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8); vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8);
vqflg_pos = 7; vqflg_pos = 7;
@ -103,6 +111,10 @@ static void roqvideo_decode_frame(RoqContext *ri)
if(k & 0x01) x += 4; if(k & 0x01) x += 4;
if(k & 0x02) y += 4; if(k & 0x02) y += 4;
if (bpos >= chunk_size) {
av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
return;
}
if (vqflg_pos < 0) { if (vqflg_pos < 0) {
vqflg = buf[bpos++]; vqflg = buf[bpos++];
vqflg |= (buf[bpos++] << 8); vqflg |= (buf[bpos++] << 8);