Browse code
rpza: error out on buffer overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Ronald S. Bultje authored on 2012/02/29 10:04:33Showing 1 changed files
| ... | ... |
@@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s) |
| 183 | 183 |
color4[1] |= ((11 * ta + 21 * tb) >> 5); |
| 184 | 184 |
color4[2] |= ((21 * ta + 11 * tb) >> 5); |
| 185 | 185 |
|
| 186 |
+ if (s->size - stream_ptr < n_blocks * 4) |
|
| 187 |
+ return; |
|
| 186 | 188 |
while (n_blocks--) {
|
| 187 | 189 |
block_ptr = row_ptr + pixel_ptr; |
| 188 | 190 |
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
| ... | ... |
@@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s) |
| 200 | 200 |
|
| 201 | 201 |
/* Fill block with 16 colors */ |
| 202 | 202 |
case 0x00: |
| 203 |
+ if (s->size - stream_ptr < 16) |
|
| 204 |
+ return; |
|
| 203 | 205 |
block_ptr = row_ptr + pixel_ptr; |
| 204 | 206 |
for (pixel_y = 0; pixel_y < 4; pixel_y++) {
|
| 205 | 207 |
for (pixel_x = 0; pixel_x < 4; pixel_x++){
|