Check for overread in vqa video decoder.

This issue was discovered while decoding the FATE sample vqa/ws_snd.vqa. For some unknown reason only audio decoding is tested by FATE for that file, but not video. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>

Check for overread in vqa video decoder.
This issue was discovered while decoding the FATE sample vqa/ws_snd.vqa. For some unknown reason only audio decoding is tested by FATE for that file, but not video. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
42780232 · Reimar Döffinger · 1d0d6305 · 42780232
Commit 42780232 authored Jan 05, 2012 by Reimar Döffinger
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 4 deletions

vqavideo.c libavcodec/vqavideo.c +9 -4

No files found.
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -322,10 +322,17 @@ static void vqa_decode_chunk(VqaContext *s)
    int hibytes = s->decode_buffer_size / 2;

    /* first, traverse through the frame and find the subchunks */
-    while (index < s->size) {
+    while (index + CHUNK_PREAMBLE_SIZE <= s->size) {
+        unsigned next_index;

        chunk_type = AV_RB32(&s->buf[index]);
        chunk_size = AV_RB32(&s->buf[index + 4]);
+        byte_skip = chunk_size & 0x01;
+        next_index = index + CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip;
+        if (next_index > s->size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Dropping incomplete chunk\n");
+            break;
+        }

        switch (chunk_type) {

@@ -366,9 +373,7 @@ static void vqa_decode_chunk(VqaContext *s)
            chunk_type);
            break;
        }
-
-        byte_skip = chunk_size & 0x01;
-        index += (CHUNK_PREAMBLE_SIZE + chunk_size + byte_skip);
+        index = next_index;
    }

    /* next, deal with the palette */