rpza: error out on buffer overreads.

Message ID 20120229192733.6EBF65E0C7@aruru.libav.org
State New
Headers show

Commit Message

Janne Grunau Feb. 29, 2012, 7:27 p.m.
Module: libav
Branch: master
Commit: 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378

Author:    Ronald S. Bultje <rsbultje@gmail.com>
Committer: Ronald S. Bultje <rsbultje@gmail.com>
Date:      Tue Feb 28 17:04:33 2012 -0800

rpza: error out on buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

---

 libavcodec/rpza.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

Patch

diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
index 7350ef2..59c3a7b 100644
--- a/libavcodec/rpza.c
+++ b/libavcodec/rpza.c
@@ -183,6 +183,8 @@  static void rpza_decode_stream(RpzaContext *s)
             color4[1] |= ((11 * ta + 21 * tb) >> 5);
             color4[2] |= ((21 * ta + 11 * tb) >> 5);
 
+            if (s->size - stream_ptr < n_blocks * 4)
+                return;
             while (n_blocks--) {
                 block_ptr = row_ptr + pixel_ptr;
                 for (pixel_y = 0; pixel_y < 4; pixel_y++) {
@@ -200,6 +202,8 @@  static void rpza_decode_stream(RpzaContext *s)
 
         /* Fill block with 16 colors */
         case 0x00:
+            if (s->size - stream_ptr < 16)
+                return;
             block_ptr = row_ptr + pixel_ptr;
             for (pixel_y = 0; pixel_y < 4; pixel_y++) {
                 for (pixel_x = 0; pixel_x < 4; pixel_x++){