exr: check size of uncompressed buffer returned by uncompress()

The actual size of uncompressed buffer returned by uncompress() may be smaller than expected, so abort decoding in such cases. Signed-off-by: Paul B Mahol <onemda@gmail.com>

exr: check size of uncompressed buffer returned by uncompress()
The actual size of uncompressed buffer returned by uncompress() may be smaller than expected, so abort decoding in such cases. Signed-off-by: Paul B Mahol <onemda@gmail.com>
7543fd80 · Paul B Mahol · 8b855b69 · 7543fd80
Commit 7543fd80 authored Jul 13, 2012 by Paul B Mahol
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

exr.c libavcodec/exr.c +4 -1

No files found.
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -545,7 +545,10 @@ static int decode_frame(AVCodecContext *avctx,
                const uint8_t *red_channel_buffer, *green_channel_buffer, *blue_channel_buffer, *alpha_channel_buffer = 0;
                if ((s->compr == EXR_ZIP1 || s->compr == EXR_ZIP16) && data_size < uncompressed_size) {
-                    if (uncompress(s->tmp, &uncompressed_size, avpkt->data + line_offset, data_size) != Z_OK) {
+                    unsigned long dest_len = uncompressed_size;
+                    if (uncompress(s->tmp, &dest_len, avpkt->data + line_offset, data_size) != Z_OK ||
+                        dest_len != uncompressed_size) {
                        av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n");
                        return AVERROR(EINVAL);
                    }