Merge commit 'ea1806ce650f0502dd25939c335b9216fa4a955f' into release/1.1
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 21 Apr 2014 14:00:51 +0000 (16:00 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 21 Apr 2014 14:00:51 +0000 (16:00 +0200)
* commit 'ea1806ce650f0502dd25939c335b9216fa4a955f':
  sgidec: fix buffer size check in expand_rle_row()

Conflicts:
libavcodec/sgidec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
1  2 
libavcodec/sgidec.c

@@@ -27,7 -26,8 +27,8 @@@
  #include "sgi.h"
  
  typedef struct SgiState {
 -    AVCodecContext *avctx;
      AVFrame picture;
++    AVCodecContext *avctx;
      unsigned int width;
      unsigned int height;
      unsigned int depth;
@@@ -49,8 -49,8 +50,9 @@@ static int expand_rle_row(SgiState *s, 
  {
      unsigned char pixel, count;
      unsigned char *orig = out_buf;
++    uint8_t *out_end = out_buf + len;
  
 -    while (1) {
 +    while (out_buf < out_end) {
          if (bytestream2_get_bytes_left(&s->g) < 1)
              return AVERROR_INVALIDDATA;
          pixel = bytestream2_get_byteu(&s->g);
          }
  
          /* Check for buffer overflow. */
-         if(out_buf + pixelstride * (count-1) >= out_end) return -1;
 -        if (pixelstride * (count - 1) >= len) {
++        if (out_end - out_buf <= pixelstride * (count - 1)) {
+             av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n");
+             return AVERROR_INVALIDDATA;
+         }
  
          if (pixel & 0x80) {
              while (count--) {
@@@ -103,7 -105,7 +108,7 @@@ static int read_rle_sgi(uint8_t *out_bu
              dest_row -= s->linesize;
              start_offset = bytestream2_get_be32(&g_table);
              bytestream2_seek(&s->g, start_offset, SEEK_SET);
-             if (expand_rle_row(s, dest_row + z, dest_row + s->width*s->depth,
 -            if (expand_rle_row(s, dest_row + z, FFABS(s->linesize) - z,
++            if (expand_rle_row(s, dest_row + z, s->width*s->depth,
                                 s->depth) != s->width) {
                  return AVERROR_INVALIDDATA;
              }
@@@ -268,6 -280,7 +282,7 @@@ AVCodec ff_sgi_decoder = 
      .init           = sgi_init,
      .close          = sgi_end,
      .decode         = decode_frame,
 -    .init           = sgi_decode_init,
      .long_name      = NULL_IF_CONFIG_SMALL("SGI image"),
++    .init           = sgi_decode_init,
      .capabilities   = CODEC_CAP_DR1,
  };