From 18de79692c1d8a5577fda16261a217f6d21dd867 Mon Sep 17 00:00:00 2001
From: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Date: Sat, 20 Aug 2011 13:13:01 +0200
Subject: roqvideodec: Improve checking of input buffer bounds.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes trac issue #408.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
---
 libavcodec/roqvideodec.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'libavcodec/roqvideodec.c')

diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
index 4af7ede9ad..f0c3ebb8d9 100644
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -71,9 +71,17 @@ static void roqvideo_decode_frame(RoqContext *ri)
     }
 
     bpos = xpos = ypos = 0;
+    if (chunk_size > buf_end - buf) {
+        av_log(ri->avctx, AV_LOG_ERROR, "Chunk does not fit in input buffer\n");
+        chunk_size = buf_end - buf;
+    }
     while(bpos < chunk_size) {
         for (yp = ypos; yp < ypos + 16; yp += 8)
             for (xp = xpos; xp < xpos + 16; xp += 8) {
+                if (bpos >= chunk_size) {
+                    av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
+                    return;
+                }
                 if (vqflg_pos < 0) {
                     vqflg = buf[bpos++]; vqflg |= (buf[bpos++] << 8);
                     vqflg_pos = 7;
@@ -103,6 +111,10 @@ static void roqvideo_decode_frame(RoqContext *ri)
                         if(k & 0x01) x += 4;
                         if(k & 0x02) y += 4;
 
+                        if (bpos >= chunk_size) {
+                            av_log(ri->avctx, AV_LOG_ERROR, "Input buffer too small\n");
+                            return;
+                        }
                         if (vqflg_pos < 0) {
                             vqflg = buf[bpos++];
                             vqflg |= (buf[bpos++] << 8);
-- 
cgit v1.2.3