[FFmpeg-cvslog] raw: move buffer size check up.
    Ronald S. Bultje 
    git at videolan.org
       
    Thu Mar  8 03:10:35 CET 2012
    
    
  
ffmpeg | branch: master | Ronald S. Bultje <rsbultje at gmail.com> | Tue Mar  6 16:08:10 2012 -0800| [cc5dd632cecc5114717d0b90f8c2be162b1c6ee8] | committer: Ronald S. Bultje
raw: move buffer size check up.
This way, it protects against overreads for 4bpp/2bpp content also.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc5dd632cecc5114717d0b90f8c2be162b1c6ee8
---
 libavcodec/rawdec.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index d3c8165..6541b78 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -129,6 +129,9 @@ static int raw_decode(AVCodecContext *avctx,
     frame->reordered_opaque = avctx->reordered_opaque;
     frame->pkt_pts          = avctx->pkt->pts;
 
+    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
+        return -1;
+
     //2bpp and 4bpp raw in avi and mov (yes this is ugly ...)
     if (context->buffer) {
         int i;
@@ -153,9 +156,6 @@ static int raw_decode(AVCodecContext *avctx,
        avctx->codec_tag == MKTAG('A', 'V', 'u', 'p'))
         buf += buf_size - context->length;
 
-    if(buf_size < context->length - (avctx->pix_fmt==PIX_FMT_PAL8 ? 256*4 : 0))
-        return -1;
-
     avpicture_fill(picture, buf, avctx->pix_fmt, avctx->width, avctx->height);
     if((avctx->pix_fmt==PIX_FMT_PAL8 && buf_size < context->length) ||
        (av_pix_fmt_descriptors[avctx->pix_fmt].flags & PIX_FMT_PSEUDOPAL)) {
    
    
More information about the ffmpeg-cvslog
mailing list