raw: move buffer size check up.

This way, it protects against overreads for 4bpp/2bpp content also.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Ronald S. Bultje 2012-03-06 16:08:10 -08:00
parent f1320dc3be
commit cc5dd632ce

View File

@ -129,6 +129,9 @@ static int raw_decode(AVCodecContext *avctx,
frame->reordered_opaque = avctx->reordered_opaque; frame->reordered_opaque = avctx->reordered_opaque;
frame->pkt_pts = avctx->pkt->pts; frame->pkt_pts = avctx->pkt->pts;
if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
return -1;
//2bpp and 4bpp raw in avi and mov (yes this is ugly ...) //2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
if (context->buffer) { if (context->buffer) {
int i; int i;
@ -153,9 +156,6 @@ static int raw_decode(AVCodecContext *avctx,
avctx->codec_tag == MKTAG('A', 'V', 'u', 'p')) avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
buf += buf_size - context->length; buf += buf_size - context->length;
if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
return -1;
avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height); avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) || if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
(av_pix_fmt_descriptors[avctx->pix_fmt].flags & PIX_FMT_PSEUDOPAL)) { (av_pix_fmt_descriptors[avctx->pix_fmt].flags & PIX_FMT_PSEUDOPAL)) {