flicvideo: fix crash on flic files with invalid frame size

Add a check in flic_decode_frame_8BPP(), in case chunk_size is > frame_size issue a warning and resize chunk_size to frame_size, in order to avoid out-of-buffer reads. Fix roundup issue #2520, trac issue #69. Signed-off-by: Stefano Sabatini <stefano.sabatini-lala@poste.it>

flicvideo: fix crash on flic files with invalid frame size
efd6cbc5 · Stefano Sabatini · cd187279 · efd6cbc5
Commit efd6cbc5 authored 13 years ago by Stefano Sabatini
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -181,6 +181,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
    /* iterate through the chunks */
    while ((frame_size > 0) && (num_chunks > 0)) {
        chunk_size = AV_RL32(&buf[stream_ptr]);
+        if (chunk_size > frame_size) {
+            av_log(avctx, AV_LOG_WARNING,
+                   "Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
+            chunk_size = frame_size;
+        }
        stream_ptr += 4;
        chunk_type = AV_RL16(&buf[stream_ptr]);
        stream_ptr += 2;