diff options
author | Frediano Ziglio <freddy77@gmail.com> | 2020-04-29 15:11:38 +0100 |
---|---|---|
committer | Frediano Ziglio <freddy77@gmail.com> | 2020-09-17 06:46:57 +0100 |
commit | ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 (patch) | |
tree | 9c16d4c4261aad73f0a44cc7b11e0ee05ac638cc | |
parent | 404d74782c8b5e57d146c5bf3118bb41bf3378e4 (diff) |
quic: Check RLE lengths
Avoid buffer overflows decoding images. On compression we compute
lengths till end of line so it won't cause regressions.
Proved by fuzzing the code.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
-rw-r--r-- | common/quic_tmpl.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c index ecd6f3f..ebae992 100644 --- a/common/quic_tmpl.c +++ b/common/quic_tmpl.c @@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row, do_run: state->waitcnt = stopidx - i; run_index = i; - run_end = i + decode_state_run(encoder, state); + run_end = decode_state_run(encoder, state); + if (run_end < 0 || run_end > (end - i)) { + encoder->usr->error(encoder->usr, "wrong RLE\n"); + } + run_end += i; for (; i < run_end; i++) { UNCOMPRESS_PIX_START(&cur_row[i]); |