[FFmpeg-cvslog] mmvideo: Make sure the rle does not write over the frame boundaries
Luca Barbato
git at videolan.org
Sat Sep 12 13:14:42 CEST 2015
ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Thu Sep 10 14:46:05 2015 +0200| [9b5a4a9cce3042558e107ae1ed30d9bf3d867a35] | committer: Luca Barbato
mmvideo: Make sure the rle does not write over the frame boundaries
Bug-Id: 887
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b5a4a9cce3042558e107ae1ed30d9bf3d867a35
---
libavcodec/mmvideo.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/mmvideo.c b/libavcodec/mmvideo.c
index f8adcdd..0736630 100644
--- a/libavcodec/mmvideo.c
+++ b/libavcodec/mmvideo.c
@@ -99,7 +99,8 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert)
while (bytestream2_get_bytes_left(&s->gb) > 0) {
int run_length, color;
- if (y >= s->avctx->height)
+ // writes one more line when half_vert is true
+ if (y >= s->avctx->height + !!half_vert)
return 0;
color = bytestream2_get_byte(&s->gb);
@@ -113,6 +114,9 @@ static int mm_decode_intra(MmContext * s, int half_horiz, int half_vert)
if (half_horiz)
run_length *=2;
+ if (s->avctx->width - x < run_length)
+ return AVERROR_INVALIDDATA;
+
if (color) {
memset(s->frame->data[0] + y*s->frame->linesize[0] + x, color, run_length);
if (half_vert)
More information about the ffmpeg-cvslog
mailing list