mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-13 21:28:01 +02:00
mmvideo: fix overreads of the input buffer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
999d38f3a9
commit
37fca5daa0
@ -123,11 +123,18 @@ static void mm_decode_intra(MmContext * s, int half_horiz, int half_vert, const
|
|||||||
*/
|
*/
|
||||||
static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const uint8_t *buf, int buf_size)
|
static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const uint8_t *buf, int buf_size)
|
||||||
{
|
{
|
||||||
const int data_ptr = 2 + AV_RL16(&buf[0]);
|
int data_ptr;
|
||||||
int d, r, y;
|
int d, r, y;
|
||||||
|
|
||||||
|
if(buf_size < 2) {
|
||||||
|
av_log(s->avctx, AV_LOG_ERROR, "1 or less byte inter frame\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
data_ptr = 2 + AV_RL16(&buf[0]);
|
||||||
d = data_ptr; r = 2; y = 0;
|
d = data_ptr; r = 2; y = 0;
|
||||||
|
|
||||||
while(r < data_ptr) {
|
while(r + 1 < data_ptr) {
|
||||||
int i, j;
|
int i, j;
|
||||||
int length = buf[r] & 0x7f;
|
int length = buf[r] & 0x7f;
|
||||||
int x = buf[r+1] + ((buf[r] & 0x80) << 1);
|
int x = buf[r+1] + ((buf[r] & 0x80) << 1);
|
||||||
@ -138,14 +145,19 @@ static void mm_decode_inter(MmContext * s, int half_horiz, int half_vert, const
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (y + half_vert >= s->avctx->height)
|
if (y + half_vert >= s->avctx->height || r+length > buf_size)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
for(i=0; i<length; i++) {
|
for(i=0; i<length; i++) {
|
||||||
for(j=0; j<8; j++) {
|
for(j=0; j<8; j++) {
|
||||||
int replace = (buf[r+i] >> (7-j)) & 1;
|
int replace = (buf[r+i] >> (7-j)) & 1;
|
||||||
if (replace) {
|
if (replace) {
|
||||||
int color = buf[d];
|
int color;
|
||||||
|
if (d >= buf_size) {
|
||||||
|
av_log(s->avctx, AV_LOG_ERROR, "overread buf\n");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
color = buf[d];
|
||||||
s->frame.data[0][y*s->frame.linesize[0] + x] = color;
|
s->frame.data[0][y*s->frame.linesize[0] + x] = color;
|
||||||
if (half_horiz)
|
if (half_horiz)
|
||||||
s->frame.data[0][y*s->frame.linesize[0] + x + 1] = color;
|
s->frame.data[0][y*s->frame.linesize[0] + x + 1] = color;
|
||||||
|
Loading…
Reference in New Issue
Block a user