From 2305742b2a0fd64cccbdfe12c9e90555c8bb798e Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Tue, 27 Sep 2011 22:15:32 +0000
Subject: sunrast: Check for invalid/corrupted bitstream

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
---
 libavcodec/sunrast.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'libavcodec/sunrast.c')

diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c
index 9ec1df8ae1..455619e39e 100644
--- a/libavcodec/sunrast.c
+++ b/libavcodec/sunrast.c
@@ -68,21 +68,25 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
     type      = AV_RB32(buf+20);
     maptype   = AV_RB32(buf+24);
     maplength = AV_RB32(buf+28);
+    buf      += 32;
 
     if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
         av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
         return -1;
     }
-    if (type > RT_FORMAT_IFF) {
+    if (type < RT_OLD || type > RT_FORMAT_IFF) {
         av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
         return -1;
     }
+    if (av_image_check_size(w, h, 0, avctx)) {
+        av_log(avctx, AV_LOG_ERROR, "invalid image size\n");
+        return -1;
+    }
     if (maptype & ~1) {
         av_log(avctx, AV_LOG_ERROR, "invalid colormap type\n");
         return -1;
     }
 
-    buf += 32;
 
     switch (depth) {
         case 1:
@@ -102,8 +106,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
     if (p->data[0])
         avctx->release_buffer(avctx, p);
 
-    if (av_image_check_size(w, h, 0, avctx))
-        return -1;
     if (w != avctx->width || h != avctx->height)
         avcodec_set_dimensions(avctx, w, h);
     if (avctx->get_buffer(avctx, p) < 0) {
-- 
cgit v1.2.3