lcldec: Check length before unsigned subtraction.

Fix integer overflow and out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

lcldec: Check length before unsigned subtraction.
Fix integer overflow and out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
b53ed19a · Michael Niedermayer · 69fb605a · b53ed19a
Commit b53ed19a authored Jan 24, 2013 by Michael Niedermayer
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

lcldec.c libavcodec/lcldec.c +4 -0

No files found.
--- a/libavcodec/lcldec.c
+++ b/libavcodec/lcldec.c
@@ -203,6 +203,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                ;
            } else if (c->flags & FLAG_MULTITHREAD) {
                mthread_inlen = AV_RL32(encoded);
+                if (len < 8) {
+                    av_log(avctx, AV_LOG_ERROR, "len %d is too small\n", len);
+                    return AVERROR_INVALIDDATA;
+                }
                mthread_inlen = FFMIN(mthread_inlen, len - 8);
                mthread_outlen = AV_RL32(encoded+4);
                mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);