From 221402c1c88b9d12130c6f5834029b535ee0e0c5 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sun, 14 Aug 2016 10:18:39 +0200
Subject: pcx: check that the packet is large enough before reading the header

Fixes possible invalid reads.

CC: libav-stable@libav.org
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
---
 libavcodec/pcx.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'libavcodec/pcx.c')

diff --git a/libavcodec/pcx.c b/libavcodec/pcx.c
index 77b2331f0e..2191ad1503 100644
--- a/libavcodec/pcx.c
+++ b/libavcodec/pcx.c
@@ -28,6 +28,8 @@
 #include "get_bits.h"
 #include "internal.h"
 
+#define PCX_HEADER_SIZE 128
+
 /**
  * @return advanced src pointer
  */
@@ -85,6 +87,11 @@ static int pcx_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     uint8_t *scanline;
     int ret = -1;
 
+    if (buf_size < PCX_HEADER_SIZE) {
+        av_log(avctx, AV_LOG_ERROR, "Packet too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (buf[0] != 0x0a || buf[1] > 5) {
         av_log(avctx, AV_LOG_ERROR, "this is not PCX encoded data\n");
         return AVERROR_INVALIDDATA;
-- 
cgit v1.2.3