diff gifdec.c @ 4718:9962405d2d18 libavcodec

add some length checks
author bcoudurier
date Sat, 24 Mar 2007 23:57:42 +0000
parents dd9ad0da0a51
children 524ef62965bf
line wrap: on
line diff
--- a/gifdec.c	Sat Mar 24 23:53:34 2007 +0000
+++ b/gifdec.c	Sat Mar 24 23:57:42 2007 +0000
@@ -48,6 +48,7 @@
 
     /* LZW compatible decoder */
     uint8_t *bytestream;
+    uint8_t *bytestream_end;
     LZWState *lzw;
 
     /* aux buffers */
@@ -209,6 +210,9 @@
     int v, n;
     int has_global_palette;
 
+    if (s->bytestream_end < s->bytestream + 13)
+        return -1;
+
     /* read gif signature */
     bytestream_get_buffer(&s->bytestream, sig, 6);
     if (memcmp(sig, gif87a_sig, 6) != 0 &&
@@ -238,6 +242,8 @@
 #endif
     if (has_global_palette) {
         n = 1 << s->bits_per_pixel;
+        if (s->bytestream_end < s->bytestream + n * 3)
+            return -1;
         bytestream_get_buffer(&s->bytestream, s->global_palette, n * 3);
     }
     return 0;
@@ -245,7 +251,7 @@
 
 static int gif_parse_next_image(GifState *s)
 {
-    for (;;) {
+    while (s->bytestream < s->bytestream_end) {
         int code = bytestream_get_byte(&s->bytestream);
 #ifdef DEBUG
         dprintf(s->avctx, "gif: code=%02x '%c'\n", code, code);
@@ -289,6 +295,7 @@
     int ret;
 
     s->bytestream = buf;
+    s->bytestream_end = buf + buf_size;
     if (gif_read_header1(s) < 0)
         return -1;