Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32().

Issue has been reported to me by Gynvael Coldwind Originally committed as revision 25632 to svn://svn.ffmpeg.org/ffmpeg/trunk

Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32().
Issue has been reported to me by Gynvael Coldwind Originally committed as revision 25632 to svn://svn.ffmpeg.org/ffmpeg/trunk
74297831 · Michael Niedermayer · 81a64614 · 74297831
Commit 74297831 authored Nov 02, 2010 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

msrledec.c libavcodec/msrledec.c +3 -2

No files found.
--- a/libavcodec/msrledec.c
+++ b/libavcodec/msrledec.c
@@ -136,6 +136,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
    int p1, p2, line=avctx->height - 1, pos=0, i;
    uint16_t av_uninit(pix16);
    uint32_t av_uninit(pix32);
+    unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3);
    output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
    output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
@@ -157,11 +158,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
                p1 = *src++;
                p2 = *src++;
                line -= p2;
-                if (line < 0){
+                pos += p1;
+                if (line < 0 || pos >= width){
                    av_log(avctx, AV_LOG_ERROR, "Skip beyond picture bounds\n");
                    return -1;
                }
-                pos += p1;
                output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3);
                continue;
            }