mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-28 20:53:54 +02:00
avcodec/dxtory: Fix bits left checks
Fixes: Timeout
Fixes: 4863/clusterfuzz-testcase-6347354178322432
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e1a167c55
)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
f7abc14d0d
commit
181c3cbacf
@ -325,7 +325,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame,
|
|||||||
int stride = frame->linesize[0];
|
int stride = frame->linesize[0];
|
||||||
uint8_t *dst = frame->data[0] + stride * line;
|
uint8_t *dst = frame->data[0] + stride * line;
|
||||||
|
|
||||||
for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
|
for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
|
||||||
for (x = 0; x < width; x++) {
|
for (x = 0; x < width; x++) {
|
||||||
b = decode_sym_565(gb, lru[0], 5);
|
b = decode_sym_565(gb, lru[0], 5);
|
||||||
g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
|
g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
|
||||||
@ -391,7 +391,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame,
|
|||||||
int stride = frame->linesize[0];
|
int stride = frame->linesize[0];
|
||||||
uint8_t *dst = frame->data[0] + stride * line;
|
uint8_t *dst = frame->data[0] + stride * line;
|
||||||
|
|
||||||
for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
|
for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
|
||||||
for (x = 0; x < width; x++) {
|
for (x = 0; x < width; x++) {
|
||||||
dst[x * 3 + 0] = decode_sym(gb, lru[0]);
|
dst[x * 3 + 0] = decode_sym(gb, lru[0]);
|
||||||
dst[x * 3 + 1] = decode_sym(gb, lru[1]);
|
dst[x * 3 + 1] = decode_sym(gb, lru[1]);
|
||||||
@ -436,7 +436,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame,
|
|||||||
uint8_t *U = frame->data[1] + (ustride >> 2) * line;
|
uint8_t *U = frame->data[1] + (ustride >> 2) * line;
|
||||||
uint8_t *V = frame->data[2] + (vstride >> 2) * line;
|
uint8_t *V = frame->data[2] + (vstride >> 2) * line;
|
||||||
|
|
||||||
for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) {
|
for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) {
|
||||||
for (x = 0; x < width; x += 4) {
|
for (x = 0; x < width; x += 4) {
|
||||||
for (j = 0; j < 4; j++)
|
for (j = 0; j < 4; j++)
|
||||||
for (i = 0; i < 4; i++)
|
for (i = 0; i < 4; i++)
|
||||||
@ -480,7 +480,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame,
|
|||||||
uint8_t *V = frame->data[2] + (vstride >> 1) * line;
|
uint8_t *V = frame->data[2] + (vstride >> 1) * line;
|
||||||
|
|
||||||
|
|
||||||
for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) {
|
for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) {
|
||||||
for (x = 0; x < width; x += 2) {
|
for (x = 0; x < width; x += 2) {
|
||||||
Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
|
Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
|
||||||
Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
|
Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
|
||||||
@ -523,7 +523,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame,
|
|||||||
uint8_t *U = frame->data[1] + ustride * line;
|
uint8_t *U = frame->data[1] + ustride * line;
|
||||||
uint8_t *V = frame->data[2] + vstride * line;
|
uint8_t *V = frame->data[2] + vstride * line;
|
||||||
|
|
||||||
for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
|
for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
|
||||||
for (x = 0; x < width; x++) {
|
for (x = 0; x < width; x++) {
|
||||||
Y[x] = decode_sym(gb, lru[0]);
|
Y[x] = decode_sym(gb, lru[0]);
|
||||||
U[x] = decode_sym(gb, lru[1]) ^ 0x80;
|
U[x] = decode_sym(gb, lru[1]) ^ 0x80;
|
||||||
|
Loading…
Reference in New Issue
Block a user