avcodec/vmnc: Check that rectangles are within the picture

author Michael Niedermayer <michaelni@gmx.at>

Mon, 20 Jan 2014 17:08:18 +0000 (18:08 +0100)

committer Michael Niedermayer <michaelni@gmx.at>

Mon, 20 Jan 2014 17:46:37 +0000 (18:46 +0100)
author Michael Niedermayer <michaelni@gmx.at>
Mon, 20 Jan 2014 17:08:18 +0000 (18:08 +0100)
committer Michael Niedermayer <michaelni@gmx.at>
Mon, 20 Jan 2014 17:46:37 +0000 (18:46 +0100)
diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c

index 5f91ab1b319173c5945d88283b40f093bfece30b..46bd52ee267e83fa5c056972519f876c18bb5cf1 100644 (file)
--- a/libavcodec/vmnc.c
+++ b/libavcodec/vmnc.c
@@ -291,6 +291,11 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, GetByteContext *gb,
                          fg = vmnc_get_pixel(gb, bpp, c->bigendian);
                      xy = bytestream2_get_byte(gb);
                      wh = bytestream2_get_byte(gb);
+                    if (   (xy >> 4) + (wh >> 4) + 1 > w - i
+                        || (xy & 0xF) + (wh & 0xF)+1 > h - j) {
+                        av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                      paint_rect(dst2, xy >> 4, xy & 0xF,
                                 (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
                  }
author	Michael Niedermayer <michaelni@gmx.at>
	Mon, 20 Jan 2014 17:08:18 +0000 (18:08 +0100)
committer	Michael Niedermayer <michaelni@gmx.at>
	Mon, 20 Jan 2014 17:46:37 +0000 (18:46 +0100)