GitList

Browse code

rpza: limit the number of blocks to the total remaining blocks in the frame

Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

Anton Khirnov authored on 2013/11/28 18:54:35
Showing 1 changed files

libavcodec/rpza.c index 0efd7f4..83dde7a 100644

@@ -119,6 +119,8 @@ static void rpza_decode_stream(RpzaContext *s)
             }
         }
 
+        n_blocks = FFMIN(n_blocks, total_blocks);
+
         switch (opcode & 0xe0) {
 
         /* Skip blocks */

...	...	@@ -119,6 +119,8 @@ static void rpza_decode_stream(RpzaContext *s)
119	119	}
120	120	}
121	121
	122	+ n_blocks = FFMIN(n_blocks, total_blocks);
	123	+
122	124	switch (opcode & 0xe0) {
123	125
124	126	/* Skip blocks */