generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

lagarith: check count before writing zeros.

Browse Source 
Fixes CVE-2012-2793

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Michael Niedermayer 2012-04-14 18:28:31 +02:00 committed by Reinhard Tartler
parent 1c8e2561b4
commit 14bba214fa
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/lagarith.c
View File

@ -326,6 +326,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
output_zeros:
if (l->zeros_rem) {
count = FFMIN(l->zeros_rem, width - i);
if (end - dst < count) {
av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n");
return AVERROR_INVALIDDATA;
}
memset(dst, 0, count);
l->zeros_rem -= count;
dst += count;