flicvideo: fix crash on flic files with invalid frame size

Add a check in flic_decode_frame_8BPP(), in case chunk_size is > frame_size issue a warning and resize chunk_size to frame_size, in order to avoid out-of-buffer reads. Fix roundup issue #2520, trac issue #69. Signed-off-by: Stefano Sabatini <stefano.sabatini-lala@poste.it>
author: Stefano Sabatini <stefano.sabatini-lala@poste.it> 2011-04-23 00:08:28 +0200
committer: Stefano Sabatini <stefano.sabatini-lala@poste.it> 2011-04-23 12:13:20 +0200
commit: efd6cbc5ddac2d4df7008733bfef1d6d6809cc3c (patch)
tree: d6056ea412d71b130ea92a201351c4ab0e860b7c /libavcodec/flicvideo.c
parent: cd1872799d89a87b1d06132118836c82cda2a44f (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index 126c4e1a04..7d2fd87647 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -181,6 +181,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
     /* iterate through the chunks */
     while ((frame_size > 0) && (num_chunks > 0)) {
         chunk_size = AV_RL32(&buf[stream_ptr]);
+        if (chunk_size > frame_size) {
+            av_log(avctx, AV_LOG_WARNING,
+                   "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
+            chunk_size = frame_size;
+        }
         stream_ptr += 4;
         chunk_type = AV_RL16(&buf[stream_ptr]);
         stream_ptr += 2;
author	Stefano Sabatini <stefano.sabatini-lala@poste.it>	2011-04-23 00:08:28 +0200
committer	Stefano Sabatini <stefano.sabatini-lala@poste.it>	2011-04-23 12:13:20 +0200
commit	efd6cbc5ddac2d4df7008733bfef1d6d6809cc3c (patch)
tree	d6056ea412d71b130ea92a201351c4ab0e860b7c /libavcodec/flicvideo.c
parent	cd1872799d89a87b1d06132118836c82cda2a44f (diff)