X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fpnm.c;h=b5c288194895b77a3d08edcce3006eccab5360a3;hb=df08db07110dc00f7dc0ca8bc5162fffcb9008c7;hp=b06a6e81b5190c987e02fd04c0f0e21208707cb5;hpb=26148e923613e718787c6fc4bf3f64e8909f597c;p=ffmpeg

diff --git a/libavcodec/pnm.c b/libavcodec/pnm.c
index b06a6e81b51..b5c28819489 100644
--- a/libavcodec/pnm.c
+++ b/libavcodec/pnm.c
@@ -22,6 +22,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "libavutil/avassert.h"
 #include "libavutil/imgutils.h"
 #include "avcodec.h"
 #include "internal.h"
@@ -36,13 +37,15 @@ static void pnm_get(PNMContext *sc, char *str, int buf_size)
 {
     char *s;
     int c;
+    uint8_t *bs  = sc->bytestream;
+    const uint8_t *end = sc->bytestream_end;
 
     /* skip spaces and comments */
-    while (sc->bytestream < sc->bytestream_end) {
-        c = *sc->bytestream++;
+    while (bs < end) {
+        c = *bs++;
         if (c == '#')  {
-            while (c != '\n' && sc->bytestream < sc->bytestream_end) {
-                c = *sc->bytestream++;
+            while (c != '\n' && bs < end) {
+                c = *bs++;
             }
         } else if (!pnm_space(c)) {
             break;
@@ -50,12 +53,12 @@ static void pnm_get(PNMContext *sc, char *str, int buf_size)
     }
 
     s = str;
-    while (sc->bytestream < sc->bytestream_end && !pnm_space(c)) {
-        if ((s - str)  < buf_size - 1)
-            *s++ = c;
-        c = *sc->bytestream++;
+    while (bs < end && !pnm_space(c) && (s - str) < buf_size - 1) {
+        *s++ = c;
+        c = *bs++;
     }
     *s = '\0';
+    sc->bytestream = bs;
 }
 
 int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
@@ -64,9 +67,15 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
     int h, w, depth, maxval;
     int ret;
 
-    pnm_get(s, buf1, sizeof(buf1));
-    if(buf1[0] != 'P')
+    if (s->bytestream_end - s->bytestream < 3 ||
+        s->bytestream[0] != 'P' ||
+        s->bytestream[1] < '1'  ||
+        s->bytestream[1] > '7') {
+        s->bytestream += s->bytestream_end > s->bytestream;
+        s->bytestream += s->bytestream_end > s->bytestream;
         return AVERROR_INVALIDDATA;
+    }
+    pnm_get(s, buf1, sizeof(buf1));
     s->type= buf1[1]-'0';
 
     if (s->type==1 || s->type==4) {
@@ -108,6 +117,9 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
                 return AVERROR_INVALIDDATA;
             }
         }
+        if (!pnm_space(s->bytestream[-1]))
+            return AVERROR_INVALIDDATA;
+
         /* check that all tags are present */
         if (w <= 0 || h <= 0 || maxval <= 0 || maxval > UINT16_MAX || depth <= 0 || tuple_type[0] == '\0' ||
             av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end)
@@ -148,7 +160,7 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
         }
         return 0;
     } else {
-        return AVERROR_INVALIDDATA;
+        av_assert0(0);
     }
     pnm_get(s, buf1, sizeof(buf1));
     w = atoi(buf1);
@@ -188,6 +200,10 @@ int ff_pnm_decode_header(AVCodecContext *avctx, PNMContext * const s)
         }
     }else
         s->maxval=1;
+
+    if (!pnm_space(s->bytestream[-1]))
+        return AVERROR_INVALIDDATA;
+
     /* more check if YUV420 */
     if (av_pix_fmt_desc_get(avctx->pix_fmt)->flags & AV_PIX_FMT_FLAG_PLANAR) {
         if ((avctx->width & 1) != 0)