sanm: Check decoded_size.

This prevents a buffer overflow in rle_decode()

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-01-24 00:27:10 +01:00
parent 31cd1e20bb
commit 7357ca900e
1 changed files with 5 additions and 0 deletions

View File

@ -639,6 +639,11 @@ static int old_codec47(SANMVideoContext *ctx, int top,
decoded_size = bytestream2_get_le32(&ctx->gb);
bytestream2_skip(&ctx->gb, 8);
if (decoded_size > height * stride - left - top * stride) {
decoded_size = height * stride - left - top * stride;
av_log(ctx->avctx, AV_LOG_WARNING, "decoded size is too large\n");
}
if (skip & 1)
bytestream2_skip(&ctx->gb, 0x8080);
if (!seq) {