From: Stefano Sabatini <stefano.sabatini-lala@poste.it>
Date: Fri, 22 Apr 2011 22:08:28 +0000 (+0200)
Subject: flicvideo: fix crash on flic files with invalid frame size
X-Git-Tag: n0.8~802
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=efd6cbc5ddac2d4df7008733bfef1d6d6809cc3c;p=coroid%2Fffmpeg_saccubus.git

flicvideo: fix crash on flic files with invalid frame size

Add a check in flic_decode_frame_8BPP(), in case chunk_size is >
frame_size issue a warning and resize chunk_size to frame_size, in
order to avoid out-of-buffer reads.

Fix roundup issue #2520, trac issue #69.

Signed-off-by: Stefano Sabatini <stefano.sabatini-lala@poste.it>
---

diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index 126c4e1a0..7d2fd8764 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -181,6 +181,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
     /* iterate through the chunks */
     while ((frame_size > 0) && (num_chunks > 0)) {
         chunk_size = AV_RL32(&buf[stream_ptr]);
+        if (chunk_size > frame_size) {
+            av_log(avctx, AV_LOG_WARNING,
+                   "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
+            chunk_size = frame_size;
+        }
         stream_ptr += 4;
         chunk_type = AV_RL16(&buf[stream_ptr]);
         stream_ptr += 2;