virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

avcodec/dxa: check for overread in decode_13()

Browse Source 
Fixes use of uninitialized memory
Fixes part of msan_uninit-mem_7f5ea8284fb7_8317_scummvm.dxa
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-12-19 17:14:59 +01:00
parent f6c95f4f8c
commit 5a5c1b2442
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libavcodec/dxa.c
View File

@ -51,13 +51,17 @@ static const int shift1[6] = { 0, 8, 8, 8, 4, 4 };
static const int shift2[6] = { 0, 0, 8, 4, 0, 4 }; static const int shift2[6] = { 0, 0, 8, 4, 0, 4 };
static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst, static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
int stride, uint8_t *src, uint8_t *ref) int stride, uint8_t *src, int srcsize, uint8_t *ref)
{ {
uint8_t *code, *data, *mv, *msk, *tmp, *tmp2; uint8_t *code, *data, *mv, *msk, *tmp, *tmp2;
uint8_t *src_end = src + srcsize;
int i, j, k; int i, j, k;
int type, x, y, d, d2; int type, x, y, d, d2;
uint32_t mask; uint32_t mask;
if (12ULL + ((avctx->width * avctx->height) >> 4) + AV_RB32(src + 0) + AV_RB32(src + 4) > srcsize)
return AVERROR_INVALIDDATA;
code = src + 12; code = src + 12;
data = code + ((avctx->width * avctx->height) >> 4); data = code + ((avctx->width * avctx->height) >> 4);
mv = data + AV_RB32(src + 0); mv = data + AV_RB32(src + 0);
@ -65,6 +69,8 @@ static int decode_13(AVCodecContext *avctx, DxaDecContext *c, uint8_t* dst,
for(j = 0; j < avctx->height; j += 4){ for(j = 0; j < avctx->height; j += 4){
for(i = 0; i < avctx->width; i += 4){ for(i = 0; i < avctx->width; i += 4){
if (data > src_end || mv > src_end || msk > src_end)
return AVERROR_INVALIDDATA;
tmp = dst + i; tmp = dst + i;
tmp2 = ref + i; tmp2 = ref + i;
type = *code++; type = *code++;
@ -302,7 +308,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
av_log(avctx, AV_LOG_ERROR, "Missing reference frame\n"); av_log(avctx, AV_LOG_ERROR, "Missing reference frame\n");
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
decode_13(avctx, c, frame->data[0], frame->linesize[0], srcptr, c->prev->data[0]); decode_13(avctx, c, frame->data[0], frame->linesize[0], srcptr, dsize, c->prev->data[0]);
break; break;
default: default:
av_log(avctx, AV_LOG_ERROR, "Unknown/unsupported compression type %d\n", compr); av_log(avctx, AV_LOG_ERROR, "Unknown/unsupported compression type %d\n", compr);