lcldec: Check length before unsigned subtraction.

Fix integer overflow and out of array read Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <[email protected]>
hubertt · Jan 24, 2013 · b53ed19 · b53ed19
1 parent 69fb605
commit b53ed19
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
@@ -203,6 +203,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
                 ;
             } else if (c->flags & FLAG_MULTITHREAD) {
                 mthread_inlen = AV_RL32(encoded);
+                if (len < 8) {
+                    av_log(avctx, AV_LOG_ERROR, "len %d is too small\n", len);
+                    return AVERROR_INVALIDDATA;
+                }
                 mthread_inlen = FFMIN(mthread_inlen, len - 8);
                 mthread_outlen = AV_RL32(encoded+4);
                 mthread_outlen = FFMIN(mthread_outlen, c->decomp_size);