videolan
/
ffmpeg
mirror of https://git.videolan.org/git/ffmpeg.git
1
Fork 0
Code Releases Activity

Additional checks to prevent overread. 

Check for availability of some required amount of bytes in buffer before
reading further.

Signed-off-by: Vitaliy E Sugrobov <vsugrob@hotmail.com>
This commit is contained in:
Vitaliy E Sugrobov 2012-11-30 12:58:54 +04:00 committed by Paul B Mahol
parent 91499f4ee8
commit de0cb7f070
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
libavcodec/gifdec.c
View File

@ -146,6 +146,10 @@ static int gif_read_image(GifState *s)
int ret;
uint8_t *idx;
/* At least 9 bytes of Image Descriptor. */
if (s->bytestream_end < s->bytestream + 9)
return AVERROR_INVALIDDATA;
left = bytestream_get_le16(&s->bytestream);
top = bytestream_get_le16(&s->bytestream);
width = bytestream_get_le16(&s->bytestream);
@ -222,6 +226,10 @@ static int gif_read_image(GifState *s)
}
}
/* Expect at least 2 bytes: 1 for lzw code size and 1 for block size. */
if (s->bytestream_end < s->bytestream + 2)
return AVERROR_INVALIDDATA;
/* now get the image data */
code_size = bytestream_get_byte(&s->bytestream);
if ((ret = ff_lzw_decode_init(s->lzw, code_size, s->bytestream,
@ -296,7 +304,11 @@ static int gif_read_extension(GifState *s)
{
int ext_code, ext_len, i, gce_flags, gce_transparent_index;
/* extension */
/* There must be at least 2 bytes:
* 1 for extension label and 1 for extension length. */
if (s->bytestream_end < s->bytestream + 2)
return AVERROR_INVALIDDATA;
ext_code = bytestream_get_byte(&s->bytestream);
ext_len = bytestream_get_byte(&s->bytestream);
@ -306,6 +318,12 @@ static int gif_read_extension(GifState *s)
case GIF_GCE_EXT_LABEL:
if (ext_len != 4)
goto discard_ext;
/* We need at least 5 bytes more: 4 is for extension body
* and 1 for next block size. */
if (s->bytestream_end < s->bytestream + 5)
return AVERROR_INVALIDDATA;
s->transparent_color_index = -1;
gce_flags = bytestream_get_byte(&s->bytestream);
bytestream_get_le16(&s->bytestream); // delay during which the frame is shown
@ -332,6 +350,10 @@ static int gif_read_extension(GifState *s)
/* NOTE: many extension blocks can come after */
discard_ext:
while (ext_len != 0) {
/* There must be at least ext_len bytes and 1 for next block size byte. */
if (s->bytestream_end < s->bytestream + ext_len + 1)
return AVERROR_INVALIDDATA;
for (i = 0; i < ext_len; i++)
bytestream_get_byte(&s->bytestream);
ext_len = bytestream_get_byte(&s->bytestream);