sanm: Check decoded_size.

This prevents a buffer overflow in rle_decode() Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

sanm: Check decoded_size.
This prevents a buffer overflow in rle_decode() Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
7357ca90 · Michael Niedermayer · 31cd1e20 · 7357ca90
Commit 7357ca90 authored Jan 23, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

sanm.c libavcodec/sanm.c +5 -0

No files found.
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -639,6 +639,11 @@ static int old_codec47(SANMVideoContext *ctx, int top,
    decoded_size = bytestream2_get_le32(&ctx->gb);
    bytestream2_skip(&ctx->gb, 8);

+    if (decoded_size > height * stride - left - top * stride) {
+        decoded_size = height * stride - left - top * stride;
+        av_log(ctx->avctx, AV_LOG_WARNING, "decoded size is too large\n");
+    }
+
    if (skip & 1)
        bytestream2_skip(&ctx->gb, 0x8080);
    if (!seq) {