If the tile data size does not match the buffer size it did not
return an AVERROR_INVALIDDATA causing futher corruption later.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 7388c0c58601477db076e2e74e8b11f8a644384a)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/ivi_common.c
... | ... |
@@ -737,8 +737,16 @@ static int decode_band(IVI45DecContext *ctx, int plane_num, |
737 | 737 |
break; |
738 | 738 |
|
739 | 739 |
result = ff_ivi_decode_blocks(&ctx->gb, band, tile); |
740 |
- if (result < 0 || ((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { |
|
741 |
- av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n"); |
|
740 |
+ if (result < 0) { |
|
741 |
+ av_log(avctx, AV_LOG_ERROR, |
|
742 |
+ "Corrupted tile data encountered!\n"); |
|
743 |
+ break; |
|
744 |
+ } |
|
745 |
+ |
|
746 |
+ if (((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { |
|
747 |
+ av_log(avctx, AV_LOG_ERROR, |
|
748 |
+ "Tile data_size mismatch!\n"); |
|
749 |
+ result = AVERROR_INVALIDDATA; |
|
742 | 750 |
break; |
743 | 751 |
} |
744 | 752 |
|