avcodec/hnm4video: check writeoffset in decode_interframe_v4a()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/hnm4video: check writeoffset in decode_interframe_v4a()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
ffe31c65 · Michael Niedermayer · 5c4aa72b · ffe31c65
Commit ffe31c65 authored Nov 22, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

hnm4video.c libavcodec/hnm4video.c +8 -0

No files found.
--- a/libavcodec/hnm4video.c
+++ b/libavcodec/hnm4video.c
@@ -287,6 +287,10 @@ static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
            if (tag == 0) {
                writeoffset += bytestream2_get_byte(&gb);
            } else if (tag == 1) {
+                if (writeoffset + hnm->width >= hnm->width * hnm->height) {
+                    av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
+                    break;
+                }
                hnm->current[writeoffset]              = bytestream2_get_byte(&gb);
                hnm->current[writeoffset + hnm->width] = bytestream2_get_byte(&gb);
                writeoffset++;
@@ -295,6 +299,10 @@ static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
            } else if (tag == 3) {
                break;
            }
+            if (writeoffset > hnm->width * hnm->height) {
+                av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
+                break;
+            }
        } else {
            delta    = bytestream2_peek_byte(&gb) & 0x80;
            previous = bytestream2_peek_byte(&gb) & 0x40;