Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22'
* commit '3abde1a3b49cf299f2aae4eaae6b6cb5270bdc22':
  pcx: Do not overread source buffer in pcx_rle_decode

Conflicts:
	libavcodec/pcx.c

See: 8cd1c0f
Bytestream based system is left in place and not switched to buf+end, such switch would be
a step backward

Merged-by: Michael Niedermayer <michaelni@gmx.at>
  • Loading branch information
michaelni committed Jul 12, 2013
2 parents 54bbb90 + 3abde1a commit 50617fc
Showing 1 changed file with 8 additions and 5 deletions.
13 changes: 8 additions & 5 deletions libavcodec/pcx.c
Expand Up @@ -28,17 +28,19 @@
#include "get_bits.h"
#include "internal.h"

static void pcx_rle_decode(GetByteContext *gb, uint8_t *dst,
unsigned int bytes_per_scanline, int compressed)
static void pcx_rle_decode(GetByteContext *gb,
uint8_t *dst,
unsigned int bytes_per_scanline,
int compressed)
{
unsigned int i = 0;
unsigned char run, value;

if (compressed) {
while (i < bytes_per_scanline) {
while (i < bytes_per_scanline && bytestream2_get_bytes_left(gb)>0) {
run = 1;
value = bytestream2_get_byte(gb);
if (value >= 0xc0) {
if (value >= 0xc0 && bytestream2_get_bytes_left(gb)>0) {
run = value & 0x3f;
value = bytestream2_get_byte(gb);
}
Expand Down Expand Up @@ -104,7 +106,8 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
bytes_per_line = bytestream2_get_le16u(&gb);
bytes_per_scanline = nplanes * bytes_per_line;

if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8) {
if (bytes_per_scanline < (w * bits_per_pixel * nplanes + 7) / 8 ||
(!compressed && bytes_per_scanline > bytestream2_get_bytes_left(&gb) / h)) {
av_log(avctx, AV_LOG_ERROR, "PCX data is corrupted\n");
return AVERROR_INVALIDDATA;
}
Expand Down

0 comments on commit 50617fc

Please sign in to comment.