cdgraphics: Fix out of array write
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 28 May 2012 14:50:15 +0000 (16:50 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sat, 9 Jun 2012 19:06:12 +0000 (21:06 +0200)
Fixes Ticket1359

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1e5c7376c4ed733910845c9a09e272ac7696b1f4)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/cdgraphics.c

index aae7bbb..3edeefc 100644 (file)
@@ -280,6 +280,10 @@ static int cdg_decode_frame(AVCodecContext *avctx,
         av_log(avctx, AV_LOG_ERROR, "buffer too small for decoder\n");
         return AVERROR(EINVAL);
     }
+    if (buf_size > CDG_HEADER_SIZE + CDG_DATA_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "buffer too big for decoder\n");
+        return AVERROR(EINVAL);
+    }
 
     ret = avctx->reget_buffer(avctx, &cc->frame);
     if (ret) {