Commit 39a3a53b authored by Michael Niedermayer's avatar Michael Niedermayer

pngdec: validate length.

Fixes out of array reading.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 337fa0db
...@@ -427,7 +427,7 @@ static int decode_frame(AVCodecContext *avctx, ...@@ -427,7 +427,7 @@ static int decode_frame(AVCodecContext *avctx,
if (s->bytestream >= s->bytestream_end) if (s->bytestream >= s->bytestream_end)
goto fail; goto fail;
length = bytestream_get_be32(&s->bytestream); length = bytestream_get_be32(&s->bytestream);
if (length > 0x7fffffff) if (length > 0x7fffffff || length > s->bytestream_end - s->bytestream)
goto fail; goto fail;
tag32 = bytestream_get_be32(&s->bytestream); tag32 = bytestream_get_be32(&s->bytestream);
tag = av_bswap32(tag32); tag = av_bswap32(tag32);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment