If the tile data size does not match the buffer size it did not
return an AVERROR_INVALIDDATA causing futher corruption later.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 7388c0c58601477db076e2e74e8b11f8a644384a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -804,8 +804,16 @@ static int decode_band(IVI45DecContext *ctx, |
804 | 804 |
break; |
805 | 805 |
|
806 | 806 |
result = ivi_decode_blocks(&ctx->gb, band, tile, avctx); |
807 |
- if (result < 0 || ((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { |
|
808 |
- av_log(avctx, AV_LOG_ERROR, "Corrupted tile data encountered!\n"); |
|
807 |
+ if (result < 0) { |
|
808 |
+ av_log(avctx, AV_LOG_ERROR, |
|
809 |
+ "Corrupted tile data encountered!\n"); |
|
810 |
+ break; |
|
811 |
+ } |
|
812 |
+ |
|
813 |
+ if (((get_bits_count(&ctx->gb) - pos) >> 3) != tile->data_size) { |
|
814 |
+ av_log(avctx, AV_LOG_ERROR, |
|
815 |
+ "Tile data_size mismatch!\n"); |
|
816 |
+ result = AVERROR_INVALIDDATA; |
|
809 | 817 |
break; |
810 | 818 |
} |
811 | 819 |
|