[FFmpeg-cvslog] xan: Only read within the data that actually was initialized

Martin Storsjö git at videolan.org
Thu Jan 16 22:49:46 CET 2014


ffmpeg | branch: release/0.10 | Martin Storsjö <martin at martin.st> | Sun Sep 29 00:59:50 2013 +0300| [380e3732676828decd54dccaba96db30be78aecf] | committer: Luca Barbato

xan: Only read within the data that actually was initialized

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
Signed-off-by: Martin Storsjö <martin at martin.st>
(cherry picked from commit fc739b3eefa0b58d64e7661621da94a94dbc8a82)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
(cherry picked from commit 09ace619d6ccb2c0a45b5fdead29f926409fa129)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=380e3732676828decd54dccaba96db30be78aecf
---

 libavcodec/xan.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 3078e0a..d0def65 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -104,6 +104,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
     int ptr_len = src_len - 1 - byte*2;
     unsigned char val = ival;
     unsigned char *dest_end = dest + dest_len;
+    unsigned char *dest_start = dest;
     GetBitContext gb;
 
     if (ptr_len < 0)
@@ -119,13 +120,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
 
         if (val < 0x16) {
             if (dest >= dest_end)
-                return 0;
+                return dest_len;
             *dest++ = val;
             val = ival;
         }
     }
 
-    return 0;
+    return dest - dest_start;
 }
 
 /**
@@ -274,7 +275,7 @@ static int xan_wc3_decode_frame(XanContext *s) {
     unsigned char flag = 0;
     int size = 0;
     int motion_x, motion_y;
-    int x, y;
+    int x, y, ret;
 
     unsigned char *opcode_buffer = s->buffer1;
     unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size;
@@ -308,9 +309,10 @@ static int xan_wc3_decode_frame(XanContext *s) {
     bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset);
     imagedata_segment = s->buf + imagedata_offset;
 
-    if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
-                           huffman_segment, s->size - huffman_offset) < 0)
+    if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size,
+                                  huffman_segment, s->size - huffman_offset)) < 0)
         return AVERROR_INVALIDDATA;
+    opcode_buffer_end = opcode_buffer + ret;
 
     if (imagedata_segment[0] == 2) {
         xan_unpack(s->buffer2, s->buffer2_size,



More information about the ffmpeg-cvslog mailing list