X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Flzw.c;h=19f3e110f48582886cc994efe66ca4c6b39c1ef5;hb=ad12e9e8c054b904d564e1a183b73104bca2e3d5;hp=185a05d6abf899fdd7bddc4349f0df011cb998e7;hpb=e2d110d8d21469987b6e5866398ef01654560c3b;p=ffmpeg

diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c
index 185a05d6abf..19f3e110f48 100644
--- a/libavcodec/lzw.c
+++ b/libavcodec/lzw.c
@@ -101,9 +101,14 @@ void ff_lzw_decode_tail(LZWState *p)
     struct LZWState *s = (struct LZWState *)p;
 
     if(s->mode == FF_LZW_GIF) {
-        while(s->pbuf < s->ebuf && s->bs>0){
-            s->pbuf += s->bs;
-            s->bs = *s->pbuf++;
+        while (s->bs > 0) {
+            if (s->bs >= s->ebuf - s->pbuf) {
+                s->pbuf = s->ebuf;
+                break;
+            } else {
+                s->pbuf += s->bs;
+                s->bs = *s->pbuf++;
+            }
         }
     }else
         s->pbuf= s->ebuf;
@@ -185,6 +190,10 @@ int ff_lzw_decode(LZWState *p, uint8_t *buf, int len){
             if ((--l) == 0)
                 goto the_end;
         }
+        if (s->ebuf < s->pbuf) {
+            av_log(0, AV_LOG_ERROR, "lzw overread\n");
+            goto the_end;
+        }
         c = lzw_get_code(s);
         if (c == s->end_code) {
             break;