From cb1ba7b80e6904dc6a644c08f3e06223760777ea Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 9 Mar 2026 18:50:17 +0100 Subject: [PATCH] rpza: check that declared size does not exceed real size Old versions of the codec used only part of fixed-size frames. --- nihav-qt/src/codecs/rpza.rs | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nihav-qt/src/codecs/rpza.rs b/nihav-qt/src/codecs/rpza.rs index fdbbb80..8b6f474 100644 --- a/nihav-qt/src/codecs/rpza.rs +++ b/nihav-qt/src/codecs/rpza.rs @@ -51,13 +51,13 @@ impl NADecoder for RpzaDecoder { } fn decode(&mut self, _supp: &mut NADecoderSupport, pkt: &NAPacket) -> DecoderResult { let src = pkt.get_buffer(); - validate!(src.len() >= 2); + validate!(src.len() >= 4); let mut br = MemoryReader::new_read(src.as_slice()); let id = br.read_byte()?; validate!(id == 0xE1); let length = br.read_u24be()? as usize; - validate!(length == src.len()); + validate!(length >= 4 && length <= src.len()); let bufret = self.hams.clone_ref(); let mut buf; @@ -157,6 +157,9 @@ impl NADecoder for RpzaDecoder { }; blockpos += len; } + if length < src.len() { + validate!(br.tell() <= (length as u64)); + } let buftype = NABufferType::Video16(buf); -- 2.39.5