From: "Ronald S. Bultje" <[email protected]>
This prevents crashes when trying to read beyond the end of the buffer
while decoding frame data.
---
libavcodec/lcldec.c | 28 ++++++++++++++++++++++++++++
1 files changed, 28 insertions(+), 0 deletions(-)
diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
index a7f0bde..fc5e03c 100644
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -224,6 +224,34 @@ static int decode_frame(AVCodecContext *avctx, void *data,
int *data_size, AVPac
}
break;
case COMP_MSZH_NOCOMP:
+ switch (c->imgtype) {
+ case IMGTYPE_YUV111:
+ if (len < width * height * 3)
+ return AVERROR_INVALIDDATA;
+ break;
+ case IMGTYPE_YUV422:
+ if (len < width * height * 2)
+ return AVERROR_INVALIDDATA;
+ break;
+ case IMGTYPE_RGB24:
+ if (len < width * height * 3)
+ return AVERROR_INVALIDDATA;
+ break;
+ case IMGTYPE_YUV411:
+ if (len < ((width * height * 3) >> 1))
+ return AVERROR_INVALIDDATA;
+ break;
+ case IMGTYPE_YUV211:
+ if (len < width * height * 2)
+ return AVERROR_INVALIDDATA;
+ break;
+ case IMGTYPE_YUV420:
+ if (len < ((width * height * 3) >> 1))
+ return AVERROR_INVALIDDATA;
+ break;
+ default:
+ break;
+ }
break;
default:
av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in
frame decoder.\n");
--
1.7.7.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
