From 612ecfbbbb3f4238d44cca5f250ffc6147d03ec2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 14 Nov 2012 22:59:22 +0100 Subject: [PATCH] gifdec: check ff_lzw_decode_init() return value, fix out of array reads Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer --- libavcodec/gifdec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/gifdec.c b/libavcodec/gifdec.c index 3e7799f9ec..2a61090ef9 100644 --- a/libavcodec/gifdec.c +++ b/libavcodec/gifdec.c @@ -67,6 +67,7 @@ static int gif_read_image(GifState *s) int left, top, width, height, bits_per_pixel, code_size, flags; int is_interleaved, has_local_palette, y, pass, y1, linesize, n, i; uint8_t *ptr, *spal, *palette, *ptr1; + int ret; left = bytestream_get_le16(&s->bytestream); top = bytestream_get_le16(&s->bytestream); @@ -107,8 +108,11 @@ static int gif_read_image(GifState *s) /* now get the image data */ code_size = bytestream_get_byte(&s->bytestream); - ff_lzw_decode_init(s->lzw, code_size, s->bytestream, - s->bytestream_end - s->bytestream, FF_LZW_GIF); + if ((ret = ff_lzw_decode_init(s->lzw, code_size, s->bytestream, + s->bytestream_end - s->bytestream, FF_LZW_GIF)) < 0) { + av_log(s->avctx, AV_LOG_ERROR, "LZW init failed\n"); + return ret; + } /* read all the image */ linesize = s->picture.linesize[0];