ffmpeg | branch: master | Luca Barbato <lu_z...@gentoo.org> | Thu Sep 10 14:46:05 2015 +0200| [9b5a4a9cce3042558e107ae1ed30d9bf3d867a35] | committer: Luca Barbato
mmvideo: Make sure the rle does not write over the frame boundaries Bug-Id: 887 CC: libav-sta...@libav.org > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b5a4a9cce3042558e107ae1ed30d9bf3d867a35 --- libavcodec/mmvideo.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c index f8adcdd..0736630 100644 --- a/libavcodec/mmvideo.c +++ b/libavcodec/mmvideo.c @@ -99,7 +99,8 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) while (bytestream2_get_bytes_left(&s->gb) > 0) { int run_length, color; - if (y >= s->avctx->height) + // writes one more line when half_vert is true + if (y >= s->avctx->height + !!half_vert) return 0; color = bytestream2_get_byte(&s->gb); @@ -113,6 +114,9 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) if (half_horiz) run_length *=2; + if (s->avctx->width - x < run_length) + return AVERROR_INVALIDDATA; + if (color) { memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length); if (half_vert) _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog