Skip to content

F
ffmpeg.wasm-core
Commit 9b5a4a9c authored by Luca Barbato's avatar Luca Barbato
Browse files
Options

mmvideo: Make sure the rle does not write over the frame boundaries 

Bug-Id: 887
CC: libav-stable@libav.org
parent 41ed749f
Hide whitespace changes
Inline Side-by-side
Showing with 5 additions and 1 deletion
libavcodec/mmvideo.c
View file @ 9b5a4a9c
...@@ -99,7 +99,8 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) ...@@ -99,7 +99,8 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert)
while (bytestream2_get_bytes_left(&s->gb) > 0) { while (bytestream2_get_bytes_left(&s->gb) > 0) {
int run_length, color; int run_length, color;
if (y >= s->avctx->height) // writes one more line when half_vert is true
if (y >= s->avctx->height + !!half_vert)
return 0; return 0;
color = bytestream2_get_byte(&s->gb); color = bytestream2_get_byte(&s->gb);
...@@ -113,6 +114,9 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert) ...@@ -113,6 +114,9 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert)
if (half_horiz) if (half_horiz)
run_length *=2; run_length *=2;
if (s->avctx->width - x < run_length)
return AVERROR_INVALIDDATA;
if (color) { if (color) {
memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length); memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length);
if (half_vert) if (half_vert)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment