Commit fc739b3e authored by Martin Storsjö's avatar Martin Storsjö

xan: Only read within the data that actually was initialized

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: 's avatarMartin Storsjö <martin@martin.st>
parent 30db94dc
...@@ -103,6 +103,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, ...@@ -103,6 +103,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
int ptr_len = src_len - 1 - byte*2; int ptr_len = src_len - 1 - byte*2;
unsigned char val = ival; unsigned char val = ival;
unsigned char *dest_end = dest + dest_len; unsigned char *dest_end = dest + dest_len;
unsigned char *dest_start = dest;
GetBitContext gb; GetBitContext gb;
if (ptr_len < 0) if (ptr_len < 0)
...@@ -118,13 +119,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, ...@@ -118,13 +119,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
if (val < 0x16) { if (val < 0x16) {
if (dest >= dest_end) if (dest >= dest_end)
return 0; return dest_len;
*dest++ = val; *dest++ = val;
val = ival; val = ival;
} }
} }
return 0; return dest - dest_start;
} }
/** /**
...@@ -278,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) ...@@ -278,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
unsigned char flag = 0; unsigned char flag = 0;
int size = 0; int size = 0;
int motion_x, motion_y; int motion_x, motion_y;
int x, y; int x, y, ret;
unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer = s->buffer1;
unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size;
...@@ -312,9 +313,10 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame) ...@@ -312,9 +313,10 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset);
imagedata_segment = s->buf + imagedata_offset; imagedata_segment = s->buf + imagedata_offset;
if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size,
huffman_segment, s->size - huffman_offset) < 0) huffman_segment, s->size - huffman_offset)) < 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
opcode_buffer_end = opcode_buffer + ret;
if (imagedata_segment[0] == 2) { if (imagedata_segment[0] == 2) {
xan_unpack(s->buffer2, s->buffer2_size, xan_unpack(s->buffer2, s->buffer2_size,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment