X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fptx.c;h=fd4933c1d6fc3d99e64861ebd35ddbc6e1703ea7;hb=dcd2b55e1a7d1f88dc893c04cc86181fc7f11cc4;hp=5dadaf6ece9cd6e038888566f9a865f0356cdd96;hpb=ec6402b7c595c3ceed6d1b8c1b75c6aa8336e052;p=ffmpeg

diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c
index 5dadaf6ece9..fd4933c1d6f 100644
--- a/libavcodec/ptx.c
+++ b/libavcodec/ptx.c
@@ -39,12 +39,15 @@ static av_cold int ptx_init(AVCodecContext *avctx) {
 static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
                             AVPacket *avpkt) {
     const uint8_t *buf = avpkt->data;
+    const uint8_t *buf_end = avpkt->data + avpkt->size;
     PTXContext * const s = avctx->priv_data;
     AVFrame *picture = data;
     AVFrame * const p = &s->picture;
     unsigned int offset, w, h, y, stride, bytes_per_pixel;
     uint8_t *ptr;
 
+    if (buf_end - buf < 14)
+        return AVERROR_INVALIDDATA;
     offset          = AV_RL16(buf);
     w               = AV_RL16(buf+8);
     h               = AV_RL16(buf+10);
@@ -57,6 +60,8 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
 
     avctx->pix_fmt = PIX_FMT_RGB555;
 
+    if (buf_end - buf < offset)
+        return AVERROR_INVALIDDATA;
     if (offset != 0x2c)
         av_log_ask_for_sample(avctx, "offset != 0x2c\n");
 
@@ -79,7 +84,7 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     ptr    = p->data[0];
     stride = p->linesize[0];
 
-    for (y=0; y<h; y++) {
+    for (y = 0; y < h && buf_end - buf >= w * bytes_per_pixel; y++) {
 #if HAVE_BIGENDIAN
         unsigned int x;
         for (x=0; x<w*bytes_per_pixel; x+=bytes_per_pixel)
@@ -94,6 +99,11 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     *picture = s->picture;
     *data_size = sizeof(AVPicture);
 
+    if (y < h) {
+        av_log(avctx, AV_LOG_WARNING, "incomplete packet\n");
+        return avpkt->size;
+    }
+
     return offset + w*h*bytes_per_pixel;
 }