Commit ef1b6ff7 authored by Frediano Ziglio's avatar Frediano Ziglio

quic: Check RLE lengths

Avoid buffer overflows decoding images. On compression we compute
lengths till end of line so it won't cause regressions.
Proved by fuzzing the code.
Signed-off-by: Frediano Ziglio's avatarFrediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin's avatarUri Lublin <uril@redhat.com>
parent 404d7478
......@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
do_run:
state->waitcnt = stopidx - i;
run_index = i;
run_end = i + decode_state_run(encoder, state);
run_end = decode_state_run(encoder, state);
if (run_end < 0 || run_end > (end - i)) {
encoder->usr->error(encoder->usr, "wrong RLE\n");
}
run_end += i;
for (; i < run_end; i++) {
UNCOMPRESS_PIX_START(&cur_row[i]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment