loco: check that there is data left after decoding a plane.
authorAnton Khirnov <anton@khirnov.net>
Thu, 14 Feb 2013 08:08:35 +0000 (09:08 +0100)
committerAnton Khirnov <anton@khirnov.net>
Sat, 23 Feb 2013 08:20:42 +0000 (09:20 +0100)
CC:libav-stable@libav.org

libavcodec/loco.c

index d2b2e88f90b64aeceecd1dda21d1703dea4b9f56..b1ad41ae46fc3dff8fea4b159ea2f66164fb3851 100644 (file)
@@ -190,43 +190,70 @@ static int decode_frame(AVCodecContext *avctx,
     case LOCO_CYUY2: case LOCO_YUY2: case LOCO_UYVY:
         decoded = loco_decode_plane(l, p->data[0], avctx->width, avctx->height,
                                     p->linesize[0], buf, buf_size, 1);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[1], avctx->width / 2, avctx->height,
                                     p->linesize[1], buf, buf_size, 1);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[2], avctx->width / 2, avctx->height,
                                     p->linesize[2], buf, buf_size, 1);
         break;
     case LOCO_CYV12: case LOCO_YV12:
         decoded = loco_decode_plane(l, p->data[0], avctx->width, avctx->height,
                                     p->linesize[0], buf, buf_size, 1);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[2], avctx->width / 2, avctx->height / 2,
                                     p->linesize[2], buf, buf_size, 1);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[1], avctx->width / 2, avctx->height / 2,
                                     p->linesize[1], buf, buf_size, 1);
         break;
     case LOCO_CRGB: case LOCO_RGB:
         decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1), avctx->width, avctx->height,
                                     -p->linesize[0], buf, buf_size, 3);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1) + 1, avctx->width, avctx->height,
                                     -p->linesize[0], buf, buf_size, 3);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[0] + p->linesize[0]*(avctx->height-1) + 2, avctx->width, avctx->height,
                                     -p->linesize[0], buf, buf_size, 3);
         break;
     case LOCO_RGBA:
         decoded = loco_decode_plane(l, p->data[0], avctx->width, avctx->height,
                                     p->linesize[0], buf, buf_size, 4);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[0] + 1, avctx->width, avctx->height,
                                     p->linesize[0], buf, buf_size, 4);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[0] + 2, avctx->width, avctx->height,
                                     p->linesize[0], buf, buf_size, 4);
+        if (decoded >= buf_size)
+            goto buf_too_small;
         buf += decoded; buf_size -= decoded;
+
         decoded = loco_decode_plane(l, p->data[0] + 3, avctx->width, avctx->height,
                                     p->linesize[0], buf, buf_size, 4);
         break;
@@ -236,6 +263,9 @@ static int decode_frame(AVCodecContext *avctx,
     *(AVFrame*)data = l->pic;
 
     return buf_size;
+buf_too_small:
+    av_log(avctx, AV_LOG_ERROR, "Input data too small.\n");
+    return AVERROR(EINVAL);
 }
 
 static av_cold int decode_init(AVCodecContext *avctx)