4xm: Check available space in read_huffman_tables()

Fixes integer overflow and out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-01-26 02:03:05 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-01-26 02:27:19 +0100
commit: 53a3fdbfc56da54b2c0a44eb1f956ec9d67d1425 (patch)
tree: 4eccb5f823c63f70a943965ed139d60b65e84e7a /libavcodec/4xm.c
parent: dcbb920f1587d1fce777aae947a49304665436b5 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 2db3026756..39254f7c07 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -599,8 +599,10 @@ static const uint8_t *read_huffman_tables(FourXContext *f,
     for (;;) {
         int i;
 
-        if (start <= end && ptr_end - ptr < end - start + 1 + 1)
+        if (ptr_end - ptr < FFMAX(end - start + 1, 0) + 1) {
+            av_log(f->avctx, AV_LOG_ERROR, "invalid data in read_huffman_tables\n");
             return NULL;
+        }
         for (i = start; i <= end; i++)
             frequency[i] = *ptr++;
         start = *ptr++;
@@ -614,6 +616,11 @@ static const uint8_t *read_huffman_tables(FourXContext *f,
     while ((ptr - buf) & 3)
         ptr++; // 4byte align
 
+    if (ptr > ptr_end) {
+        av_log(f->avctx, AV_LOG_ERROR, "ptr overflow in read_huffman_tables\n");
+        return NULL;
+    }
+
     for (j = 257; j < 512; j++) {
         int min_freq[2] = { 256 * 256, 256 * 256 };
         int smallest[2] = { 0, 0 };
author	Michael Niedermayer <michaelni@gmx.at>	2013-01-26 02:03:05 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-01-26 02:27:19 +0100
commit	53a3fdbfc56da54b2c0a44eb1f956ec9d67d1425 (patch)
tree	4eccb5f823c63f70a943965ed139d60b65e84e7a /libavcodec/4xm.c
parent	dcbb920f1587d1fce777aae947a49304665436b5 (diff)