dfa: improve boundary checks in decode_dds1()

author Anton Khirnov <anton@khirnov.net>

Sat, 29 Sep 2012 11:25:28 +0000 (13:25 +0200)

committer Anton Khirnov <anton@khirnov.net>

Sat, 29 Sep 2012 17:17:07 +0000 (19:17 +0200)
author Anton Khirnov <anton@khirnov.net>
Sat, 29 Sep 2012 11:25:28 +0000 (13:25 +0200)
committer Anton Khirnov <anton@khirnov.net>
Sat, 29 Sep 2012 17:17:07 +0000 (19:17 +0200)
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c

index c6f09c89a72280754f5cc697f607f763a9dcb9a2..d464acb1870606426ad274be64b1d2ad3136bcc0 100644 (file)
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -153,8 +153,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
              bitbuf = bytestream2_get_le16u(gb);
              mask = 1;
          }
-        if (frame_end - frame < 2)
-            return AVERROR_INVALIDDATA;
+
          if (bitbuf & mask) {
              v = bytestream2_get_le16(gb);
              offset = (v & 0x1FFF) << 2;
@@ -168,9 +167,12 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                  frame += 2;
              }
          } else if (bitbuf & (mask << 1)) {
-            frame += bytestream2_get_le16(gb) * 2;
+            v = bytestream2_get_le16(gb)*2;
+            if (frame - frame_end < v)
+                return AVERROR_INVALIDDATA;
+            frame += v;
          } else {
-            if (frame_end - frame < width + 2)
+            if (frame_end - frame < width + 3)
                  return AVERROR_INVALIDDATA;
              frame[0] = frame[1] =
              frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);
author	Anton Khirnov <anton@khirnov.net>
	Sat, 29 Sep 2012 11:25:28 +0000 (13:25 +0200)
committer	Anton Khirnov <anton@khirnov.net>
	Sat, 29 Sep 2012 17:17:07 +0000 (19:17 +0200)