From 6dc338458113252ed59a991ba8c11f38ae3f3ba4 Mon Sep 17 00:00:00 2001
From: Matthias Vogelgesang <matthias.vogelgesang@kit.edu>
Date: Tue, 19 Jan 2016 16:51:07 +0100
Subject: Prevent buffer overflow with corrupt data

---
 src/ufodecode.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/ufodecode.c b/src/ufodecode.c
index 46af883..23a6018 100644
--- a/src/ufodecode.c
+++ b/src/ufodecode.c
@@ -163,7 +163,7 @@ ufo_decoder_set_raw_data (UfoDecoder *decoder, uint32_t *raw, size_t num_bytes)
 }
 
 static size_t
-ufo_decode_frame_channels_v5 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_rows, uint8_t output_mode)
+ufo_decode_frame_channels_v5 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_bytes, size_t num_rows, uint8_t output_mode)
 {
     payload_header_v5 *header;
     size_t base = 0, index = 0;
@@ -229,7 +229,7 @@ ufo_decode_frame_channels_v5 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint3
 }
 
 static size_t
-ufo_decode_frame_channels_v6 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_rows, uint16_t start_offset)
+ufo_decode_frame_channels_v6 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint32_t *raw, size_t num_bytes, size_t num_rows, uint16_t start_offset)
 {
     size_t base = 0;
     size_t index = 0;
@@ -240,8 +240,8 @@ ufo_decode_frame_channels_v6 (UfoDecoder *decoder, uint16_t *pixel_buffer, uint3
     __m64 mm_r;
 #endif
 
-    while (raw[base] != 0xAAAAAAA) {
-        const size_t row_number = (raw[base] & 0xfff) - start_offset;
+    while ((raw[base] != 0xAAAAAAA) && ((num_bytes - base * 4) >= 32)) {
+        const size_t row_number = raw[base] & 0xfff;
         const size_t pixel_number = (raw[base + 1] >> 16) & 0xfff;
 
         base += 2;
@@ -442,7 +442,6 @@ ufo_decoder_decode_frame (UfoDecoder *decoder, uint32_t *raw, size_t num_bytes,
             fprintf (stderr, "Unsupported header version %i\n", header_version);
     }
 
-
 #ifdef DEBUG
     if ((meta->output_mode != IPECAMERA_MODE_4_CHAN_IO) && (meta->output_mode != IPECAMERA_MODE_16_CHAN_IO)) {
         fprintf (stderr, "Output mode 0x%x is not supported\n", meta->output_mode);
@@ -468,11 +467,11 @@ ufo_decoder_decode_frame (UfoDecoder *decoder, uint32_t *raw, size_t num_bytes,
 
     switch (dataformat_version) {
         case 5:
-            advance = ufo_decode_frame_channels_v5 (decoder, pixels, raw + pos, rows_per_frame, meta->output_mode);
+            advance = ufo_decode_frame_channels_v5 (decoder, pixels, raw + pos, num_bytes - pos, rows_per_frame, meta->output_mode);
             break;
 
         case 6:
-            advance = ufo_decode_frame_channels_v6 (decoder, pixels, raw + pos, rows_per_frame, meta->cmosis_start_address);
+            advance = ufo_decode_frame_channels_v6 (decoder, pixels, raw + pos, num_bytes - pos, rows_per_frame, meta->cmosis_start_address);
             break;
 
         default:
-- 
cgit v1.2.1