Commit de0cb7f0 authored by Vitaliy E Sugrobov's avatar Vitaliy E Sugrobov Committed by Paul B Mahol

Additional checks to prevent overread.

Check for availability of some required amount of bytes in buffer before
reading further.
Signed-off-by: 's avatarVitaliy E Sugrobov <vsugrob@hotmail.com>
parent 91499f4e
......@@ -146,6 +146,10 @@ static int gif_read_image(GifState *s)
int ret;
uint8_t *idx;
/* At least 9 bytes of Image Descriptor. */
if (s->bytestream_end < s->bytestream + 9)
return AVERROR_INVALIDDATA;
left = bytestream_get_le16(&s->bytestream);
top = bytestream_get_le16(&s->bytestream);
width = bytestream_get_le16(&s->bytestream);
......@@ -222,6 +226,10 @@ static int gif_read_image(GifState *s)
}
}
/* Expect at least 2 bytes: 1 for lzw code size and 1 for block size. */
if (s->bytestream_end < s->bytestream + 2)
return AVERROR_INVALIDDATA;
/* now get the image data */
code_size = bytestream_get_byte(&s->bytestream);
if ((ret = ff_lzw_decode_init(s->lzw, code_size, s->bytestream,
......@@ -296,7 +304,11 @@ static int gif_read_extension(GifState *s)
{
int ext_code, ext_len, i, gce_flags, gce_transparent_index;
/* extension */
/* There must be at least 2 bytes:
* 1 for extension label and 1 for extension length. */
if (s->bytestream_end < s->bytestream + 2)
return AVERROR_INVALIDDATA;
ext_code = bytestream_get_byte(&s->bytestream);
ext_len = bytestream_get_byte(&s->bytestream);
......@@ -306,6 +318,12 @@ static int gif_read_extension(GifState *s)
case GIF_GCE_EXT_LABEL:
if (ext_len != 4)
goto discard_ext;
/* We need at least 5 bytes more: 4 is for extension body
* and 1 for next block size. */
if (s->bytestream_end < s->bytestream + 5)
return AVERROR_INVALIDDATA;
s->transparent_color_index = -1;
gce_flags = bytestream_get_byte(&s->bytestream);
bytestream_get_le16(&s->bytestream); // delay during which the frame is shown
......@@ -332,6 +350,10 @@ static int gif_read_extension(GifState *s)
/* NOTE: many extension blocks can come after */
discard_ext:
while (ext_len != 0) {
/* There must be at least ext_len bytes and 1 for next block size byte. */
if (s->bytestream_end < s->bytestream + ext_len + 1)
return AVERROR_INVALIDDATA;
for (i = 0; i < ext_len; i++)
bytestream_get_byte(&s->bytestream);
ext_len = bytestream_get_byte(&s->bytestream);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment