On 06/29/2013 07:00 AM, Kostya Shishkov wrote: > On Sat, Jun 29, 2013 at 06:39:07AM +0200, Luca Barbato wrote: >> Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind >> CC: [email protected] >> --- >> libavcodec/pcx.c | 22 +++++++++++++++------- >> 1 file changed, 15 insertions(+), 7 deletions(-) >> >> diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c >> index 53f8c19..5b74f5b 100644 >> --- a/libavcodec/pcx.c >> +++ b/libavcodec/pcx.c >> @@ -31,7 +31,9 @@ >> /** >> * @return advanced src pointer >> */ >> -static const uint8_t *pcx_rle_decode(const uint8_t *src, uint8_t *dst, >> +static const uint8_t *pcx_rle_decode(const uint8_t *src, >> + const uint8_t *end, >> + uint8_t *dst, >> unsigned int bytes_per_scanline, >> int compressed) >> { >> @@ -39,7 +41,7 @@ static const uint8_t *pcx_rle_decode(const uint8_t *src, >> uint8_t *dst, >> unsigned char run, value; >> >> if (compressed) { >> - while (i < bytes_per_scanline) { >> + while (i < bytes_per_scanline && src < end) { >> run = 1; >> value = *src++; >> if (value >= 0xc0) { > > I suspect you still need an additional check(s) in this function.
For the uncompressed case I check on init. lu _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
