Commit ad002e1a authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/cdgraphics: check buffer size before use

Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent ead590c2
...@@ -289,7 +289,9 @@ static int cdg_decode_frame(AVCodecContext *avctx, ...@@ -289,7 +289,9 @@ static int cdg_decode_frame(AVCodecContext *avctx,
inst = bytestream_get_byte(&buf); inst = bytestream_get_byte(&buf);
inst &= CDG_MASK; inst &= CDG_MASK;
buf += 2; /// skipping 2 unneeded bytes buf += 2; /// skipping 2 unneeded bytes
bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
if (buf_size > CDG_HEADER_SIZE)
bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE);
if ((command & CDG_MASK) == CDG_COMMAND) { if ((command & CDG_MASK) == CDG_COMMAND) {
switch (inst) { switch (inst) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment