On Sun, Sep 29, 2013 at 01:05:31PM +0300, Martin Storsjö wrote: > This fixes reads out of bounds. > > Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: [email protected] > --- > libavcodec/pcx.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c > index fd8bb2a..837f268 100644 > --- a/libavcodec/pcx.c > +++ b/libavcodec/pcx.c > @@ -169,6 +169,12 @@ static int pcx_decode_frame(AVCodecContext *avctx, void > *data, int *got_frame, > } else if (nplanes == 1 && bits_per_pixel == 8) { > const uint8_t *palstart = bufstart + buf_size - 769; > > + if (buf_size < 769) { > + av_log(avctx, AV_LOG_ERROR, "File is too short\n"); > + ret = buf_size; > + goto end; > + } > + > for (y = 0; y < h; y++, ptr += stride) { > buf = pcx_rle_decode(buf, buf_end, > scanline, bytes_per_scanline, compressed); > --
looks OK _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
