Commit 18de7969 authored by Reimar Döffinger's avatar Reimar Döffinger

roqvideodec: Improve checking of input buffer bounds.

Fixes trac issue #408.
Signed-off-by: 's avatarReimar Döffinger <Reimar.Doeffinger@gmx.de>
parent ff960980
...@@ -71,9 +71,17 @@ static void roqvideo_decode_frame(RoqContext *ri) ...@@ -71,9 +71,17 @@ static void roqvideo_decode_frame(RoqContext *ri)
} }
bpos = xpos = ypos = 0; bpos = xpos = ypos = 0;
if (chunk_size > buf_end - buf) {
av_log(ri->avctx, AV_LOG_ERROR, "Chunk does not fit in input buffer\n");
chunk_size = buf_end - buf;
}
while(bpos < chunk_size) { while(bpos < chunk_size) {
for (yp = ypos; yp < ypos + 16; yp += 8) for (yp = ypos; yp < ypos + 16; yp += 8)
for (xp = xpos; xp < xpos + 16; xp += 8) { for (xp = xpos; xp < xpos + 16; xp += 8) {
if (bpos >= chunk_size) {
av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
return;
}
if (vqflg_pos < 0) { if (vqflg_pos < 0) {
vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8); vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8);
vqflg_pos = 7; vqflg_pos = 7;
...@@ -103,6 +111,10 @@ static void roqvideo_decode_frame(RoqContext *ri) ...@@ -103,6 +111,10 @@ static void roqvideo_decode_frame(RoqContext *ri)
if(k & 0x01) x += 4; if(k & 0x01) x += 4;
if(k & 0x02) y += 4; if(k & 0x02) y += 4;
if (bpos >= chunk_size) {
av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
return;
}
if (vqflg_pos < 0) { if (vqflg_pos < 0) {
vqflg = buf[bpos++]; vqflg = buf[bpos++];
vqflg |= (buf[bpos++] << 8); vqflg |= (buf[bpos++] << 8);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment