While reading a fuzzed bitsream , the decoder can read past the end of the
bitstream causing invalid reads.
---
libavcodec/xl.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/libavcodec/xl.c b/libavcodec/xl.c
index 197b0c2..077b022 100644
--- a/libavcodec/xl.c
+++ b/libavcodec/xl.c
@@ -44,6 +44,7 @@ static int decode_frame(AVCodecContext *avctx,
{
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
VideoXLContext * const a = avctx->priv_data;
AVFrame * const p= (AVFrame*)&a->pic;
uint8_t *Y, *U, *V;
@@ -70,6 +71,8 @@ static int decode_frame(AVCodecContext *avctx,
stride = avctx->width - 4;
for (i = 0; i < avctx->height; i++) {
/* lines are stored in reversed order */
+ if(buf + stride > buf_end)
+ break;
buf += stride;
for (j = 0; j < avctx->width; j += 4) {
@@ -108,6 +111,8 @@ static int decode_frame(AVCodecContext *avctx,
V[j >> 2] = c1 << 1;
}
+ if (buf + avctx->width + 4 > buf_end)
+ break;
buf += avctx->width + 4;
Y += a->pic.linesize[0];
U += a->pic.linesize[1];
--
1.7.4.1
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
