avcodec/sgidec: fix count check
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 27 Oct 2014 19:48:58 +0000 (20:48 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 27 Oct 2014 19:55:57 +0000 (20:55 +0100)
Fixes: asan_heap-oob_22b30d4_39_038.sgi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/sgidec.c

index 8338863..3ddbf77 100644 (file)
@@ -98,7 +98,7 @@ static int expand_rle_row16(SgiState *s, uint16_t *out_buf,
             break;
 
         /* Check for buffer overflow. */
-        if (pixelstride * (count - 1) >= len) {
+        if (out_end - out_buf <= pixelstride * (count - 1)) {
             av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n");
             return AVERROR_INVALIDDATA;
         }