Merge commit 'a1f7844a11010d8552c75424d1a831b37a0ae5d9' into release/2.2
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 5 Aug 2014 01:52:49 +0000 (03:52 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 5 Aug 2014 01:54:50 +0000 (03:54 +0200)
* commit 'a1f7844a11010d8552c75424d1a831b37a0ae5d9':
  pgssubdec: Check RLE size before copying

See: c0d68be555f5858703383040e04fcd6529777061
Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/pgssubdec.c

@@@ -224,22 -213,17 +231,17 @@@ static int parse_picture_segment(AVCode
          return -1;
      }
  
-     if (buf_size > rle_bitmap_len) {
-         av_log(avctx, AV_LOG_ERROR, "too much RLE data\n");
-         return AVERROR_INVALIDDATA;
-     }
 -    ctx->picture.w = width;
 -    ctx->picture.h = height;
 +    ctx->pictures[picture_id].w = width;
 +    ctx->pictures[picture_id].h = height;
  
 -    av_fast_malloc(&ctx->picture.rle, &ctx->picture.rle_buffer_size, rle_bitmap_len);
 +    av_fast_padded_malloc(&ctx->pictures[picture_id].rle, &ctx->pictures[picture_id].rle_buffer_size, rle_bitmap_len);
  
 -    if (!ctx->picture.rle)
 +    if (!ctx->pictures[picture_id].rle)
          return -1;
  
 -    memcpy(ctx->picture.rle, buf, buf_size);
 -    ctx->picture.rle_data_len = buf_size;
 -    ctx->picture.rle_remaining_len = rle_bitmap_len - buf_size;
 +    memcpy(ctx->pictures[picture_id].rle, buf, buf_size);
 +    ctx->pictures[picture_id].rle_data_len      = buf_size;
 +    ctx->pictures[picture_id].rle_remaining_len = rle_bitmap_len - buf_size;
  
      return 0;
  }