From fea714ecd9de557054b2540119f6b5635ba0e636 Mon Sep 17 00:00:00 2001
From: Daniel Kang <daniel.d.kang@gmail.com>
Date: Fri, 7 Jan 2011 19:55:22 +0000
Subject: Do not overread input buffer. Fixes issue 2503.

Patch by Daniel Kang, daniel.d.kang at gmail

Originally committed as revision 26256 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/dpx.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavcodec/dpx.c')

diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c
index f92b3d0e31..e49c969c6f 100644
--- a/libavcodec/dpx.c
+++ b/libavcodec/dpx.c
@@ -55,6 +55,7 @@ static int decode_frame(AVCodecContext *avctx,
                         AVPacket *avpkt)
 {
     const uint8_t *buf = avpkt->data;
+    const uint8_t *buf_end = avpkt->data + avpkt->size;
     int buf_size       = avpkt->size;
     DPXContext *const s = avctx->priv_data;
     AVFrame *picture  = data;
@@ -172,6 +173,10 @@ static int decode_frame(AVCodecContext *avctx,
         case 8:
         case 12: // Treat 12-bit as 16-bit
         case 16:
+            if (source_packet_size*avctx->width*avctx->height > buf_end - buf) {
+                av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
+                return -1;
+            }
             if (source_packet_size == target_packet_size) {
                 for (x = 0; x < avctx->height; x++) {
                     memcpy(ptr, buf, target_packet_size*avctx->width);
-- 
cgit v1.2.3