Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | avcodec/cdgraphics: check buffer size before use |
| 2 | |
| 3 | Fixes out of array accesses |
| 4 | |
| 5 | Backported from:http://git.videolan.org/?p=ffmpeg.git;a=commit;h=ad002e1a13a8df934bd6cb2c84175a4780ab8942 |
| 6 | |
| 7 | Upstream-Status: Backport |
| 8 | |
| 9 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind |
| 10 | Signed-off-by: Michael Niedermayer <michaelni@gmx.at> |
| 11 | Signed-off-by: Ming Liu <ming.liu@windriver.com> |
| 12 | |
| 13 | diff -urpN a/gst-libs/ext/libav/libavcodec/cdgraphics.c b/gst-libs/ext/libav/libavcodec/cdgraphics.c |
| 14 | --- a/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:17:08.399876575 +0800 |
| 15 | +++ b/gst-libs/ext/libav/libavcodec/cdgraphics.c 2013-07-18 13:18:05.880502267 +0800 |
| 16 | @@ -291,7 +291,9 @@ static int cdg_decode_frame(AVCodecConte |
| 17 | inst = bytestream_get_byte(&buf); |
| 18 | inst &= CDG_MASK; |
| 19 | buf += 2; /// skipping 2 unneeded bytes |
| 20 | - bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); |
| 21 | + |
| 22 | + if (buf_size > CDG_HEADER_SIZE) |
| 23 | + bytestream_get_buffer(&buf, cdg_data, buf_size - CDG_HEADER_SIZE); |
| 24 | |
| 25 | if ((command & CDG_MASK) == CDG_COMMAND) { |
| 26 | switch (inst) { |