virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-02-04 06:08:26 +02:00
Code Issues Releases Activity

dxv: Check to make sure we don't overrun buffers on corrupt inputs

Browse Source 
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Martin Storsjö 2016-07-28 13:45:24 +03:00
parent e328178da9
commit 7ebdffc353
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libavcodec/dxv.c
View File

@ -125,7 +125,7 @@ static int dxv_decompress_dxt1(AVCodecContext *avctx)
AV_WL32(ctx->tex_data + 4, bytestream2_get_le32(gbc));
/* Process input until the whole texture has been filled */
while (pos < ctx->tex_size / 4) {
while (pos + 2 <= ctx->tex_size / 4) {
CHECKPOINT(2);
/* Copy two elements from a previous offset or from the input buffer */
@ -178,7 +178,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
AV_WL32(ctx->tex_data + 12, bytestream2_get_le32(gbc));
/* Process input until the whole texture has been filled */
while (pos < ctx->tex_size / 4) {
while (pos + 2 <= ctx->tex_size / 4) {
if (run) {
run--;
@ -207,7 +207,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
check += probe;
} while (probe == 0xFFFF);
}
while (check && pos < ctx->tex_size / 4) {
while (check && pos + 4 <= ctx->tex_size / 4) {
prev = AV_RL32(ctx->tex_data + 4 * (pos - 4));
AV_WL32(ctx->tex_data + 4 * pos, prev);
pos++;
@ -252,6 +252,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
case 2:
/* Copy two dwords from a previous index */
idx = 8 + bytestream2_get_le16(gbc);
if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
return AVERROR_INVALIDDATA;
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
AV_WL32(ctx->tex_data + 4 * pos, prev);
pos++;
@ -274,9 +276,13 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
}
CHECKPOINT(4);
if (pos + 2 > ctx->tex_size / 4)
return AVERROR_INVALIDDATA;
/* Copy two elements from a previous offset or from the input buffer */
if (op) {
if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
return AVERROR_INVALIDDATA;
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
AV_WL32(ctx->tex_data + 4 * pos, prev);
pos++;
@ -287,6 +293,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
} else {
CHECKPOINT(4);
if (op && (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4))
return AVERROR_INVALIDDATA;
if (op)
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
else