Skip to content

F
ffmpeg.wasm-core
Commit bd70a527 authored by Paul B Mahol's avatar Paul B Mahol
Browse files
Options

paf: prevent invalid write 

Closes #1631.
Signed-off-by: 's avatarPaul B Mahol <onemda@gmail.com>
parent c3da2c19
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 2 deletions
libavcodec/paf.c
View file @ bd70a527
...@@ -164,14 +164,16 @@ static int decode_0(AVCodecContext *avctx, uint8_t code, uint8_t *pkt) ...@@ -164,14 +164,16 @@ static int decode_0(AVCodecContext *avctx, uint8_t code, uint8_t *pkt)
} while (--i); } while (--i);
} }
dst = c->frame[c->current_frame]; dst = c->frame[c->current_frame];
dend = c->frame[c->current_frame] + c->frame_size;
do { do {
a = bytestream2_get_byte(&c->gb); a = bytestream2_get_byte(&c->gb);
b = bytestream2_get_byte(&c->gb); b = bytestream2_get_byte(&c->gb);
p = (a & 0xC0) >> 6; p = (a & 0xC0) >> 6;
src = c->frame[p] + get_video_page_offset(avctx, a, b); src = c->frame[p] + get_video_page_offset(avctx, a, b);
send = c->frame[p] + c->frame_size; send = c->frame[p] + c->frame_size;
if (src + 3 * avctx->width + 4 > send) if ((src + 3 * avctx->width + 4 > send) ||
(dst + 3 * avctx->width + 4 > dend))
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
copy_block4(dst, src, avctx->width, avctx->width, 4); copy_block4(dst, src, avctx->width, avctx->width, 4);
i++; i++;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment