4xm: do not overread the prestream buffer

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit be373cb50d) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
2025-12-13 10:30:05 +01:00 · 2013-06-07 16:18:22 +02:00
parent cd9b0bb07a
commit 12dc01bb1f
1 changed files with 13 additions and 2 deletions
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -535,7 +535,10 @@ static int decode_i_mb(FourXContext *f){
    return 0;
 }

-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){
+static const uint8_t *read_huffman_tables(FourXContext *f,
+                                          const uint8_t * const buf,
+                                          int len)
+{
    int frequency[512];
    uint8_t flag[512];
    int up[512];
@@ -553,12 +556,20 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
    for(;;){
        int i;

+        len -= end - start + 1;
+
+        if (end < start || len < 0)
+            return NULL;
+
        for(i=start; i<=end; i++){
            frequency[i]= *ptr++;
        }
        start= *ptr++;
        if(start==0) break;

+        if (--len < 0)
+            return NULL;
+
        end= *ptr++;
    }
    frequency[256]=1;
@@ -691,7 +702,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
        return -1;
    }

-    prestream = read_huffman_tables(f, prestream);
+    prestream = read_huffman_tables(f, prestream, prestream_size);
    if (!prestream) {
        av_log(f->avctx, AV_LOG_ERROR, "Error reading Huffman tables.\n");
        return AVERROR_INVALIDDATA;