Merge commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22'
authorMichael Niedermayer <michaelni@gmx.at>
Fri, 12 Jul 2013 10:57:17 +0000 (12:57 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 12 Jul 2013 10:58:13 +0000 (12:58 +0200)
* commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22':
  pcx: Do not overread source buffer in pcx_rle_decode

Conflicts:
libavcodec/pcx.c

See: 8cd1c0febe88b757e915e9af15559575c21ca728
Bytestream based system is left in place and not switched to buf+end, such switch would be
a step backward

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/pcx.c

  #include "get_bits.h"
  #include "internal.h"
  
- static void pcx_rle_decode(GetByteContext *gb, uint8_t *dst,
-                            unsigned int bytes_per_scanline, int compressed)
 -/**
 - * @return advanced src pointer
 - */
 -static const uint8_t *pcx_rle_decode(const uint8_t *src,
 -                                     const uint8_t *end,
 -                                     uint8_t *dst,
 -                                     unsigned int bytes_per_scanline,
 -                                     int compressed)
++static void pcx_rle_decode(GetByteContext *gb,
++                           uint8_t *dst,
++                           unsigned int bytes_per_scanline,
++                           int compressed)
  {
      unsigned int i = 0;
      unsigned char run, value;
  
      if (compressed) {
-         while (i < bytes_per_scanline) {
 -        while (i < bytes_per_scanline && src < end) {
++        while (i < bytes_per_scanline && bytestream2_get_bytes_left(gb)>0) {
              run   = 1;
 -            value = *src++;
 -            if (value >= 0xc0 && src < end) {
 +            value = bytestream2_get_byte(gb);
-             if (value >= 0xc0) {
++            if (value >= 0xc0 && bytestream2_get_bytes_left(gb)>0) {
                  run   = value & 0x3f;
 -                value = *src++;
 +                value = bytestream2_get_byte(gb);
              }
              while (i < bytes_per_scanline && run--)
                  dst[i++] = value;
@@@ -99,12 -104,13 +101,13 @@@ static int pcx_decode_frame(AVCodecCont
      w = xmax - xmin + 1;
      h = ymax - ymin + 1;
  
 -    bits_per_pixel     = buf[3];
 -    bytes_per_line     = AV_RL16(buf + 66);
 -    nplanes            = buf[65];
 +    bytestream2_skipu(&gb, 49);
 +    nplanes            = bytestream2_get_byteu(&gb);
 +    bytes_per_line     = bytestream2_get_le16u(&gb);
      bytes_per_scanline = nplanes * bytes_per_line;
  
-     if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8) {
 -    if (bytes_per_scanline < w * bits_per_pixel * nplanes / 8 ||
 -        (!compressed && bytes_per_scanline > buf_size / h)) {
++    if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8 ||
++        (!compressed && bytes_per_scanline > bytestream2_get_bytes_left(&gb) / h)) {
          av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n");
          return AVERROR_INVALIDDATA;
      }