mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-24 13:56:33 +02:00
Fix possibly exploitable buffer overrun in msrle_decode_8_16_24_32().
Issue has been reported to me by Gynvael Coldwind Originally committed as revision 25632 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
parent
81a646140f
commit
7429783101
@ -136,6 +136,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
|
|||||||
int p1, p2, line=avctx->height - 1, pos=0, i;
|
int p1, p2, line=avctx->height - 1, pos=0, i;
|
||||||
uint16_t av_uninit(pix16);
|
uint16_t av_uninit(pix16);
|
||||||
uint32_t av_uninit(pix32);
|
uint32_t av_uninit(pix32);
|
||||||
|
unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3);
|
||||||
|
|
||||||
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
|
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
|
||||||
output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
|
output_end = pic->data[0] + (avctx->height) * pic->linesize[0];
|
||||||
@ -157,11 +158,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, int de
|
|||||||
p1 = *src++;
|
p1 = *src++;
|
||||||
p2 = *src++;
|
p2 = *src++;
|
||||||
line -= p2;
|
line -= p2;
|
||||||
if (line < 0){
|
pos += p1;
|
||||||
|
if (line < 0 || pos >= width){
|
||||||
av_log(avctx, AV_LOG_ERROR, "Skip beyond picture bounds\n");
|
av_log(avctx, AV_LOG_ERROR, "Skip beyond picture bounds\n");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
pos += p1;
|
|
||||||
output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3);
|
output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user