[FFmpeg-cvslog] dsicinav: Bound-check the source buffer when needed

Luca Barbato git at videolan.org
Wed Sep 25 23:34:50 CEST 2013


ffmpeg | branch: release/0.10 | Luca Barbato <lu_zero at gentoo.org> | Fri Jul 19 21:09:40 2013 +0200| [0d24adbe8d8e48428776586aa16df6629470d8ae] | committer: Sean McGovern

dsicinav: Bound-check the source buffer when needed

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit dd0bfc3a6a310e3e3674ce7742672d689a9a0e93)

Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0d24adbe8d8e48428776586aa16df6629470d8ae
---

 libavcodec/dsicinav.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index a379531..108424c 100644
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -187,11 +187,13 @@ static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char
     while (src < src_end && dst < dst_end) {
         code = *src++;
         if (code & 0x80) {
+            if (src >= src_end)
+                break;
             len = code - 0x7F;
             memset(dst, *src++, FFMIN(len, dst_end - dst));
         } else {
             len = code + 1;
-            memcpy(dst, src, FFMIN(len, dst_end - dst));
+            memcpy(dst, src, FFMIN3(len, dst_end - dst, src_end - src));
             src += len;
         }
         dst += len;



More information about the ffmpeg-cvslog mailing list