Commit 62b1e3b1 authored by Luca Barbato's avatar Luca Barbato

aasc: Check minimum buffer size

Prevent some overreads.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent 45ee556d
...@@ -62,6 +62,9 @@ static int aasc_decode_frame(AVCodecContext *avctx, ...@@ -62,6 +62,9 @@ static int aasc_decode_frame(AVCodecContext *avctx,
AascContext *s = avctx->priv_data; AascContext *s = avctx->priv_data;
int compr, i, stride, ret; int compr, i, stride, ret;
if (buf_size < 4)
return AVERROR_INVALIDDATA;
if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) { if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) {
av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n"); av_log(avctx, AV_LOG_ERROR, "reget_buffer() failed\n");
return ret; return ret;
...@@ -73,6 +76,8 @@ static int aasc_decode_frame(AVCodecContext *avctx, ...@@ -73,6 +76,8 @@ static int aasc_decode_frame(AVCodecContext *avctx,
switch (compr) { switch (compr) {
case 0: case 0:
stride = (avctx->width * 3 + 3) & ~3; stride = (avctx->width * 3 + 3) & ~3;
if (buf_size < stride * avctx->height)
return AVERROR_INVALIDDATA;
for (i = avctx->height - 1; i >= 0; i--) { for (i = avctx->height - 1; i >= 0; i--) {
memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * 3); memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * 3);
buf += stride; buf += stride;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment