lagarith: check count before writing zeros.

Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net>

lagarith: check count before writing zeros.
Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov <anton@khirnov.net>
b631e4ed · Michael Niedermayer · Anton Khirnov · 99f392a5 · b631e4ed
Commit b631e4ed authored Apr 14, 2012 by Michael Niedermayer Committed by Anton Khirnov Sep 29, 2012
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

lagarith.c libavcodec/lagarith.c +5 -0

No files found.
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -361,6 +361,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
 output_zeros:
    if (l->zeros_rem) {
        count = FFMIN(l->zeros_rem, width - i);
+        if (end - dst < count) {
+            av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
        memset(dst, 0, count);
        l->zeros_rem -= count;
        dst += count;