raw: move buffer size check up.
This way, it protects against overreads for 4bpp/2bpp content also. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
f1320dc3be
commit
cc5dd632ce
@ -129,6 +129,9 @@ static int raw_decode(AVCodecContext *avctx,
|
|||||||
frame->reordered_opaque = avctx->reordered_opaque;
|
frame->reordered_opaque = avctx->reordered_opaque;
|
||||||
frame->pkt_pts = avctx->pkt->pts;
|
frame->pkt_pts = avctx->pkt->pts;
|
||||||
|
|
||||||
|
if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
|
||||||
|
return -1;
|
||||||
|
|
||||||
//2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
|
//2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
|
||||||
if (context->buffer) {
|
if (context->buffer) {
|
||||||
int i;
|
int i;
|
||||||
@ -153,9 +156,6 @@ static int raw_decode(AVCodecContext *avctx,
|
|||||||
avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
|
avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
|
||||||
buf += buf_size - context->length;
|
buf += buf_size - context->length;
|
||||||
|
|
||||||
if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
|
|
||||||
return -1;
|
|
||||||
|
|
||||||
avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
|
avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
|
||||||
if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
|
if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
|
||||||
(av_pix_fmt_descriptors[avctx->pix_fmt].flags & PIX_FMT_PSEUDOPAL)) {
|
(av_pix_fmt_descriptors[avctx->pix_fmt].flags & PIX_FMT_PSEUDOPAL)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user