Do not overread input buffer.

Fixes issue 2503. Patch by Daniel Kang, daniel.d.kang at gmail Originally committed as revision 26256 to svn://svn.ffmpeg.org/ffmpeg/trunk

Do not overread input buffer.
Fixes issue 2503. Patch by Daniel Kang, daniel.d.kang at gmail Originally committed as revision 26256 to svn://svn.ffmpeg.org/ffmpeg/trunk
fea714ec · Daniel Kang · Carl Eugen Hoyos · 10d8eac9 · fea714ec
Commit fea714ec authored Jan 07, 2011 by Daniel Kang Committed by Carl Eugen Hoyos Jan 07, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

dpx.c libavcodec/dpx.c +5 -0

No files found.
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -55,6 +55,7 @@ static int decode_frame(AVCodecContext *avctx,
                        AVPacket *avpkt)
 {
    const uint8_t *buf = avpkt->data;
+    const uint8_t *buf_end = avpkt->data + avpkt->size;
    int buf_size       = avpkt->size;
    DPXContext *const s = avctx->priv_data;
    AVFrame *picture  = data;
@@ -172,6 +173,10 @@ static int decode_frame(AVCodecContext *avctx,
        case 8:
        case 12: // Treat 12-bit as 16-bit
        case 16:
+            if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
+                av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+                return -1;
+            }
            if (source_packet_size == target_packet_size) {
                for (x = 0; x < avctx->height; x++) {
                    memcpy(ptr, buf, target_packet_size*avctx->width);