proresdec_lgpl: explicitly check coff[3] against slice_data_size

The implicit checks via v_data_size and a_data_size don't work in the case '(hdr_size > 7) && !ctx->alpha_info'. This fixes segmentation faults due to invalid reads. This problem was introduced in commit 547c2f00. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

proresdec_lgpl: explicitly check coff[3] against slice_data_size
The implicit checks via v_data_size and a_data_size don't work in the case '(hdr_size > 7) && !ctx->alpha_info'. This fixes segmentation faults due to invalid reads. This problem was introduced in commit 547c2f00. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
1e33035e · Andreas Cadhalpun · 18108f36 · 1e33035e
Commit 1e33035e authored Nov 09, 2016 by Andreas Cadhalpun
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

proresdec_lgpl.c libavcodec/proresdec_lgpl.c +1 -1

No files found.
--- a/libavcodec/proresdec_lgpl.c
+++ b/libavcodec/proresdec_lgpl.c
@@ -625,7 +625,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata)

    /* if V or alpha component size is negative that means that previous
       component sizes are too large */
-    if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6) {
+    if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6 || coff[3] > slice_data_size) {
        av_log(avctx, AV_LOG_ERROR, "invalid data size\n");
        return AVERROR_INVALIDDATA;
    }