lagarith: check count before writing zeros.

Fixes CVE-2012-2793

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
Michael Niedermayer 2012-04-14 18:28:31 +02:00 committed by Anton Khirnov
parent 99f392a584
commit b631e4ed64
1 changed files with 5 additions and 0 deletions

View File

@ -361,6 +361,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
output_zeros:
if (l->zeros_rem) {
count = FFMIN(l->zeros_rem, width - i);
if (end - dst < count) {
av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n");
return AVERROR_INVALIDDATA;
}
memset(dst, 0, count);
l->zeros_rem -= count;
dst += count;