On Sat, Jun 29, 2013 at 06:39:07AM +0200, Luca Barbato wrote: > Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: [email protected] > --- > libavcodec/pcx.c | 22 +++++++++++++++------- > 1 file changed, 15 insertions(+), 7 deletions(-) > > diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c > index 53f8c19..5b74f5b 100644 > --- a/libavcodec/pcx.c > +++ b/libavcodec/pcx.c > @@ -31,7 +31,9 @@ > /** > * @return advanced src pointer > */ > -static const uint8_t *pcx_rle_decode(const uint8_t *src, uint8_t *dst, > +static const uint8_t *pcx_rle_decode(const uint8_t *src, > + const uint8_t *end, > + uint8_t *dst, > unsigned int bytes_per_scanline, > int compressed) > { > @@ -39,7 +41,7 @@ static const uint8_t *pcx_rle_decode(const uint8_t *src, > uint8_t *dst, > unsigned char run, value; > > if (compressed) { > - while (i < bytes_per_scanline) { > + while (i < bytes_per_scanline && src < end) { > run = 1; > value = *src++; > if (value >= 0xc0) {
I suspect you still need an additional check(s) in this function. _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
