[FFmpeg-cvslog] Merge commit '221402c1c88b9d12130c6f5834029b535ee0e0c5'

[Clément Bœsch]

ffmpeg | branch: master | Clément Bœsch <u at pkh.me> | Sun Mar 19 17:54:08 2017 +0100| [ca619cdf54caa75becf53d821258174cbbf85550] | committer: Clément Bœsch

Merge commit '221402c1c88b9d12130c6f5834029b535ee0e0c5'

* commit '221402c1c88b9d12130c6f5834029b535ee0e0c5':
  pcx: check that the packet is large enough before reading the header

See 8cd1c0febe88b757e915e9af15559575c21ca728

Merged-by: Clément Bœsch <u at pkh.me>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ca619cdf54caa75becf53d821258174cbbf85550
---

 libavcodec/pcx.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c
index 1d3ee8d..58a5e1e 100644
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -28,6 +28,8 @@
 #include "get_bits.h"
 #include "internal.h"
 
+#define PCX_HEADER_SIZE 128
+
 static void pcx_rle_decode(GetByteContext *gb,
                            uint8_t *dst,
                            unsigned int bytes_per_scanline,
@@ -74,8 +76,10 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                  bytes_per_scanline;
     uint8_t *ptr, *scanline;
 
-    if (avpkt->size < 128)
+    if (avpkt->size < PCX_HEADER_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
         return AVERROR_INVALIDDATA;
+    }
 
     bytestream2_init(&gb, avpkt->data, avpkt->size);
 


======================================================================

diff --cc libavcodec/pcx.c
index 1d3ee8d,2191ad1..58a5e1e
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@@ -28,10 -28,16 +28,12 @@@
  #include "get_bits.h"
  #include "internal.h"
  
+ #define PCX_HEADER_SIZE 128
+ 
 -/**
 - * @return advanced src pointer
 - */
 -static const uint8_t *pcx_rle_decode(const uint8_t *src,
 -                                     const uint8_t *end,
 -                                     uint8_t *dst,
 -                                     unsigned int bytes_per_scanline,
 -                                     int compressed)
 +static void pcx_rle_decode(GetByteContext *gb,
 +                           uint8_t *dst,
 +                           unsigned int bytes_per_scanline,
 +                           int compressed)
  {
      unsigned int i = 0;
      unsigned char run, value;
@@@ -66,20 -75,24 +68,22 @@@ static void pcx_palette(GetByteContext 
  static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
                              AVPacket *avpkt)
  {
 -    const uint8_t *buf = avpkt->data;
 -    int buf_size       = avpkt->size;
 -    AVFrame *const p   = data;
 +    GetByteContext gb;
 +    AVFrame * const p  = data;
      int compressed, xmin, ymin, xmax, ymax;
 +    int ret;
      unsigned int w, h, bits_per_pixel, bytes_per_line, nplanes, stride, y, x,
                   bytes_per_scanline;
 -    uint8_t *ptr;
 -    const uint8_t *buf_end = buf + buf_size;
 -    const uint8_t *bufstart = buf;
 -    uint8_t *scanline;
 -    int ret = -1;
 +    uint8_t *ptr, *scanline;
  
-     if (avpkt->size < 128)
 -    if (buf_size < PCX_HEADER_SIZE) {
++    if (avpkt->size < PCX_HEADER_SIZE) {
+         av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
          return AVERROR_INVALIDDATA;
+     }
  
 -    if (buf[0] != 0x0a || buf[1] > 5) {
 +    bytestream2_init(&gb, avpkt->data, avpkt->size);
 +
 +    if (bytestream2_get_byteu(&gb) != 0x0a || bytestream2_get_byteu(&gb) > 5) {
          av_log(avctx, AV_LOG_ERROR, "this is not PCX encoded data\n");
          return AVERROR_INVALIDDATA;
      }