Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32().
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 2 Nov 2010 01:19:12 +0000 (01:19 +0000)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 2 Nov 2010 01:19:12 +0000 (01:19 +0000)
Issue has been reported to me by Gynvael Coldwind

Originally committed as revision 25632 to svn://svn.ffmpeg.org/ffmpeg/trunk

libavcodec/msrledec.c

index d3d36017567cd9ad2df2e4627e870c008c76f66d..098e7d857ac8b78e1444b0c51e3912edd088e30d 100644 (file)
@@ -136,6 +136,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
     int p1, p2, line=avctx->height - 1, pos=0, i;
     uint16_t av_uninit(pix16);
     uint32_t av_uninit(pix32);
+    unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3);
 
     output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
     output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
@@ -157,11 +158,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
                 p1 = *src++;
                 p2 = *src++;
                 line -= p2;
-                if (line < 0){
+                pos += p1;
+                if (line < 0 || pos >= width){
                     av_log(avctx, AV_LOG_ERROR, "Skip beyond picture bounds\n");
                     return -1;
                 }
-                pos += p1;
                 output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3);
                 continue;
             }