4xm: do not overread the prestream buffer

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org

4xm: do not overread the prestream buffer
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
be373cb5 · Luca Barbato · de2e5777 · be373cb5
Commit be373cb5 authored Jun 07, 2013 by Luca Barbato
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 2 deletions

4xm.c libavcodec/4xm.c +11 -2

No files found.
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -579,7 +579,8 @@ static int decode_i_mb(FourXContext *f)
 }
 static const uint8_t *read_huffman_tables(FourXContext *f,
-                                          const uint8_t * const buf)
+                                          const uint8_t * const buf,
+                                          int len)
 {
    int frequency[512] = { 0 };
    uint8_t flag[512];
@@ -597,12 +598,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f,
    for (;;) {
        int i;
+        len -= end - start + 1;
+        if (end < start || len < 0)
+            return NULL;
        for (i = start; i <= end; i++)
            frequency[i] = *ptr++;
        start = *ptr++;
        if (start == 0)
            break;
+        if (--len < 0)
+            return NULL;
        end = *ptr++;
    }
    frequency[256] = 1;
@@ -744,7 +753,7 @@ static int decode_i_frame(FourXContext *f, AVFrame *frame, const uint8_t *buf, i
        return AVERROR_INVALIDDATA;
    }
-    prestream = read_huffman_tables(f, prestream);
+    prestream = read_huffman_tables(f, prestream, prestream_size);
    if (!prestream) {
        av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n");
        return AVERROR_INVALIDDATA;