Do not overread input buffer.

author Daniel Kang <daniel.d.kang@gmail.com>

Fri, 7 Jan 2011 19:55:22 +0000 (19:55 +0000)

committer Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>

Fri, 7 Jan 2011 19:55:22 +0000 (19:55 +0000)
author Daniel Kang <daniel.d.kang@gmail.com>
Fri, 7 Jan 2011 19:55:22 +0000 (19:55 +0000)
committer Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>
Fri, 7 Jan 2011 19:55:22 +0000 (19:55 +0000)
diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c

index f92b3d0..e49c969 100644 (file)
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -55,6 +55,7 @@ static int decode_frame(AVCodecContext *avctx,
                          AVPacket *avpkt)
  {
      const uint8_t *buf = avpkt->data;
+    const uint8_t *buf_end = avpkt->data + avpkt->size;
      int buf_size       = avpkt->size;
      DPXContext *const s = avctx->priv_data;
      AVFrame *picture  = data;
@@ -172,6 +173,10 @@ static int decode_frame(AVCodecContext *avctx,
          case 8:
          case 12: // Treat 12-bit as 16-bit
          case 16:
+            if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
+                av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+                return -1;
+            }
              if (source_packet_size == target_packet_size) {
                  for (x = 0; x < avctx->height; x++) {
                      memcpy(ptr, buf, target_packet_size*avctx->width);
author	Daniel Kang <daniel.d.kang@gmail.com>
	Fri, 7 Jan 2011 19:55:22 +0000 (19:55 +0000)
committer	Carl Eugen Hoyos <cehoyos@rainbow.studorg.tuwien.ac.at>
	Fri, 7 Jan 2011 19:55:22 +0000 (19:55 +0000)