| avcodec/cdgraphics: check buffer size before use |
| |
| Fixes out of array accesses |
| |
| Backported from:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad002e1a13a8df934bd6cb2c84175a4780ab8942 |
| |
| Upstream-Status: Backport |
| |
| Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind |
| Signed-off-by: Michael Niedermayer <michaelni@gmx.at> |
| Signed-off-by: Ming Liu <ming.liu@windriver.com> |
| |
| diff -urpN a/gst-libs/ext/libav/libavcodec/cdgraphics.c b/gst-libs/ext/libav/libavcodec/cdgraphics.c |
| --- a/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:17:08.399876575 +0800 |
| +++ b/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:18:05.880502267 +0800 |
| @@ -291,7 +291,9 @@ static int cdg_decode_frame(AVCodecConte |
| inst = bytestream_get_byte(&buf); |
| inst &= CDG_MASK; |
| buf += 2; /// skipping 2 unneeded bytes |
| - bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); |
| + |
| + if (buf_size > CDG_HEADER_SIZE) |
| + bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); |
| |
| if ((command & CDG_MASK) == CDG_COMMAND) { |
| switch (inst) { |