[FFmpeg-cvslog] raw: move buffer size check up.
Ronald S. Bultje
git at videolan.org
Mon Apr 2 01:45:28 CEST 2012
ffmpeg | branch: release/0.8 | Ronald S. Bultje <rsbultje at gmail.com> | Tue Mar 6 16:08:10 2012 -0800| [4924520513d06b4d9169a1d3e0374d5a48bc02e0] | committer: Reinhard Tartler
raw: move buffer size check up.
This way, it protects against overreads for 4bpp/2bpp content also.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit cc5dd632cecc5114717d0b90f8c2be162b1c6ee8)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4924520513d06b4d9169a1d3e0374d5a48bc02e0
---
libavcodec/rawdec.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index 5e8e6c4..05a032e 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -127,6 +127,9 @@ static int raw_decode(AVCodecContext *avctx,
frame->reordered_opaque = avctx->reordered_opaque;
frame->pkt_pts = avctx->pkt->pts;
+ if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
+ return -1;
+
//2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
if (context->buffer) {
int i;
@@ -151,9 +154,6 @@ static int raw_decode(AVCodecContext *avctx,
avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
buf += buf_size - context->length;
- if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
- return -1;
-
avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
(avctx->pix_fmt!=PIX_FMT_PAL8 &&
More information about the ffmpeg-cvslog
mailing list