diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2011-12-29 05:16:34 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-01-03 22:40:17 +0100 |
| commit | 7cd9732b334241aa40ecd39a8860ed6fbbf42757 (patch) | |
| tree | 6f2ca51d318449317d5d0a64a8abd8d59fd3a66c | |
| parent | acdc505b2aeeeed72bf9f7373a5991861afb5752 (diff) | |
| download | ffmpeg-7cd9732b334241aa40ecd39a8860ed6fbbf42757.tar.gz | |
qpeg: Check for overread in qpeg_decode_intra.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e7c1e38ba632f7315e332dd350b38f782f428884)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/qpeg.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index 84e2b41629..bbb9f71aae 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -32,7 +32,7 @@ typedef struct QpegContext{ uint32_t pal[256]; } QpegContext; -static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size, +static int qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size, int stride, int width, int height) { int i; @@ -94,6 +94,8 @@ static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size, } } else { size -= copy; + if (size<0) + return AVERROR_INVALIDDATA; for(i = 0; i < copy; i++) { dst[filled++] = *src++; if (filled >= width) { @@ -106,6 +108,7 @@ static void qpeg_decode_intra(const uint8_t *src, uint8_t *dst, int size, } } } + return 0; } static const int qpeg_table_h[16] = @@ -259,7 +262,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame * p= (AVFrame*)&a->pic; AVFrame * ref= (AVFrame*)&a->ref; uint8_t* outdata; - int delta; + int delta, ret = 0; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); if(ref->data[0]) @@ -273,12 +276,15 @@ static int decode_frame(AVCodecContext *avctx, } outdata = a->pic.data[0]; if(buf[0x85] == 0x10) { - qpeg_decode_intra(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height); + ret = qpeg_decode_intra(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height); } else { delta = buf[0x85]; qpeg_decode_inter(buf+0x86, outdata, buf_size - 0x86, a->pic.linesize[0], avctx->width, avctx->height, delta, buf + 4, a->ref.data[0]); } + if (ret<0) + return ret; + /* make the palette available on the way out */ if (pal) { a->pic.palette_has_changed = 1; |