From 295a7c0238e84b0ffa8f21ed938d45f51f54a4cd Mon Sep 17 00:00:00 2001
From: Aneesh Dogra <lionaneesh@gmail.com>
Date: Thu, 5 Jan 2012 01:28:21 +0530
Subject: 4xm: Prevent buffer overreads.

4xm decoder while decoding i2 frames can overread the buffer if proper checks
are not made.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
---
 libavcodec/4xm.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'libavcodec/4xm.c')

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index cfb8279870..d16c232fbf 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -614,16 +614,24 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
     int x, y, x2, y2;
     const int width= f->avctx->width;
     const int height= f->avctx->height;
+    const int mbs = FFALIGN(width, 16) * FFALIGN(height, 16);
     uint16_t *dst= (uint16_t*)f->current_picture.data[0];
     const int stride= f->current_picture.linesize[0]>>1;
+    GetByteContext g3;
+
+    if(length < mbs * 8) {
+        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+    bytestream2_init(&g3, buf, length);
 
     for(y=0; y<height; y+=16){
         for(x=0; x<width; x+=16){
             unsigned int color[4], bits;
             memset(color, 0, sizeof(color));
 //warning following is purely guessed ...
-            color[0]= bytestream_get_le16(&buf);
-            color[1]= bytestream_get_le16(&buf);
+            color[0]= bytestream2_get_le16u(&g3);
+            color[1]= bytestream2_get_le16u(&g3);
 
             if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n");
             if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n");
@@ -631,7 +639,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
             color[2]= mix(color[0], color[1]);
             color[3]= mix(color[1], color[0]);
 
-            bits= bytestream_get_le32(&buf);
+            bits= bytestream2_get_le32u(&g3);
             for(y2=0; y2<16; y2++){
                 for(x2=0; x2<16; x2++){
                     int index= 2*(x2>>2) + 8*(y2>>2);
-- 
cgit v1.2.3