1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00

eatgv: fix pointer arithmetic overflows.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Laurent Aimar 2011-10-08 23:40:28 +02:00 committed by Michael Niedermayer
parent 09302a897d
commit 6bfe0d4c3d

View File

@ -74,7 +74,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
else else
src += 2; src += 2;
if (src+3>src_end) if (src_end - src < 3)
return -1; return -1;
size = AV_RB24(src); size = AV_RB24(src);
src += 3; src += 3;
@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
* @return 0 on success, -1 on critical buffer underflow * @return 0 on success, -1 on critical buffer underflow
*/ */
static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0]; unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0];
int num_mvs; int num_mvs;
int num_blocks_raw; int num_blocks_raw;
int num_blocks_packed; int num_blocks_packed;
@ -148,7 +148,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
int mvbits; int mvbits;
const unsigned char *blocks_raw; const unsigned char *blocks_raw;
if(buf+12>buf_end) if(buf_end - buf < 12)
return -1; return -1;
num_mvs = AV_RL16(&buf[0]); num_mvs = AV_RL16(&buf[0]);
@ -171,7 +171,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
/* read motion vectors */ /* read motion vectors */
mvbits = (num_mvs*2*10+31) & ~31; mvbits = (num_mvs*2*10+31) & ~31;
if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end) if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed)
return -1; return -1;
init_get_bits(&gb, buf, mvbits); init_get_bits(&gb, buf, mvbits);
@ -207,12 +207,14 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
int src_stride; int src_stride;
if (vector < num_mvs) { if (vector < num_mvs) {
src = s->last_frame.data[0] + unsigned offset =
(y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] + (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
x*4 + s->mv_codebook[vector][0]; x*4 + s->mv_codebook[vector][0];
src_stride = s->last_frame.linesize[0]; src_stride = s->last_frame.linesize[0];
if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end) if (offset >= last_frame_size - (3*src_stride+3))
continue; continue;
src = s->last_frame.data[0] + offset;
}else{ }else{
int offset = vector - num_mvs; int offset = vector - num_mvs;
if (offset<num_blocks_raw) if (offset<num_blocks_raw)
@ -252,12 +254,15 @@ static int tgv_decode_frame(AVCodecContext *avctx,
const uint8_t *buf_end = buf + buf_size; const uint8_t *buf_end = buf + buf_size;
int chunk_type; int chunk_type;
if (buf_end - buf < EA_PREAMBLE_SIZE)
return AVERROR_INVALIDDATA;
chunk_type = AV_RL32(&buf[0]); chunk_type = AV_RL32(&buf[0]);
buf += EA_PREAMBLE_SIZE; buf += EA_PREAMBLE_SIZE;
if (chunk_type==kVGT_TAG) { if (chunk_type==kVGT_TAG) {
int pal_count, i; int pal_count, i;
if(buf+12>buf_end) { if(buf_end - buf < 12) {
av_log(avctx, AV_LOG_WARNING, "truncated header\n"); av_log(avctx, AV_LOG_WARNING, "truncated header\n");
return -1; return -1;
} }
@ -272,7 +277,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,
pal_count = AV_RL16(&buf[6]); pal_count = AV_RL16(&buf[6]);
buf += 12; buf += 12;
for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) { for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
s->palette[i] = AV_RB24(buf); s->palette[i] = AV_RB24(buf);
buf += 3; buf += 3;
} }