proresdec_lgpl: explicitly check coff[3] against slice_data_size

The implicit checks via v_data_size and a_data_size don't work in the case '(hdr_size > 7) && !ctx->alpha_info'. This fixes segmentation faults due to invalid reads. This problem was introduced in commit 547c2f002a87f4412a83c23b0d60364be5e7ce58. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-10 01:49:46 +0300
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-18 01:15:47 +0300
commit: 1ed4b527321f4380d18aeb4306574f4b6ec610c7 (patch)
tree: 5e1309c9c39e56a52382c631e7b114449aafb7dc /libavcodec/proresdec_lgpl.c
parent: 72a2d6ff56ce2e06a756d1f86cae300944838096 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c
index 467a423f23..bc5bdb5a4d 100644
--- a/libavcodec/proresdec_lgpl.c
+++ b/libavcodec/proresdec_lgpl.c
@@ -625,7 +625,7 @@ static int decode_slice(AVCodecContext *avctx, void *tdata)
 
     /* if V or alpha component size is negative that means that previous
        component sizes are too large */
-    if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6) {
+    if (v_data_size < 0 || a_data_size < 0 || hdr_size < 6 || coff[3] > slice_data_size) {
         av_log(avctx, AV_LOG_ERROR, "invalid data size\n");
         return AVERROR_INVALIDDATA;
     }
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-10 01:49:46 +0300
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-18 01:15:47 +0300
commit	1ed4b527321f4380d18aeb4306574f4b6ec610c7 (patch)
tree	5e1309c9c39e56a52382c631e7b114449aafb7dc /libavcodec/proresdec_lgpl.c
parent	72a2d6ff56ce2e06a756d1f86cae300944838096 (diff)