4xm: do not overread the prestream buffer
authorLuca Barbato <lu_zero@gentoo.org>
Fri, 7 Jun 2013 14:18:22 +0000 (16:18 +0200)
committerLuca Barbato <lu_zero@gentoo.org>
Sun, 16 Jun 2013 13:54:23 +0000 (15:54 +0200)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit be373cb50d3c411366fec7eef2eb3681abe48f96)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
libavcodec/4xm.c

index 493e2ad..5602f62 100644 (file)
@@ -576,7 +576,8 @@ static int decode_i_mb(FourXContext *f)
 }
 
 static const uint8_t *read_huffman_tables(FourXContext *f,
-                                          const uint8_t * const buf)
+                                          const uint8_t * const buf,
+                                          int len)
 {
     int frequency[512] = { 0 };
     uint8_t flag[512];
@@ -594,12 +595,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f,
     for (;;) {
         int i;
 
+        len -= end - start + 1;
+
+        if (end < start || len < 0)
+            return NULL;
+
         for (i = start; i <= end; i++)
             frequency[i] = *ptr++;
         start = *ptr++;
         if (start == 0)
             break;
 
+        if (--len < 0)
+            return NULL;
+
         end = *ptr++;
     }
     frequency[256] = 1;
@@ -741,7 +750,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length)
         return -1;
     }
 
-    prestream = read_huffman_tables(f, prestream);
+    prestream = read_huffman_tables(f, prestream, prestream_size);
     if (!prestream) {
         av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n");
         return AVERROR_INVALIDDATA;