virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-03-28 12:32:17 +02:00
Code Issues Releases Activity

dfa: add some checks to ensure that decoder won't write past frame end

Browse Source
This commit is contained in:
Kostya Shishkov 2012-05-03 20:10:36 +02:00
parent 96f7590efd
commit 8099187e89
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/dfa.c
View File

@ -164,6 +164,8 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
} else if (bitbuf & (mask << 1)) { } else if (bitbuf & (mask << 1)) {
frame += bytestream2_get_le16(gb) * 2; frame += bytestream2_get_le16(gb) * 2;
} else { } else {
if (frame_end - frame < width + 2)
return AVERROR_INVALIDDATA;
frame[0] = frame[1] = frame[0] = frame[1] =
frame[width] = frame[width + 1] = bytestream2_get_byte(gb); frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
frame += 2; frame += 2;
@ -224,6 +226,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
const uint8_t *frame_end = frame + width * height; const uint8_t *frame_end = frame + width * height;
uint8_t *line_ptr; uint8_t *line_ptr;
int count, i, v, lines, segments; int count, i, v, lines, segments;
int y = 0;
lines = bytestream2_get_le16(gb); lines = bytestream2_get_le16(gb);
if (lines > height) if (lines > height)
@ -234,10 +237,12 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
return -1; return -1;
segments = bytestream2_get_le16u(gb); segments = bytestream2_get_le16u(gb);
while ((segments & 0xC000) == 0xC000) { while ((segments & 0xC000) == 0xC000) {
unsigned skip_lines = -(int16_t)segments;
unsigned delta = -((int16_t)segments * width); unsigned delta = -((int16_t)segments * width);
if (frame_end - frame <= delta) if (frame_end - frame <= delta || y + lines + skip_lines > height)
return -1; return -1;
frame += delta; frame += delta;
y += skip_lines;
segments = bytestream2_get_le16(gb); segments = bytestream2_get_le16(gb);
} }
if (segments & 0x8000) { if (segments & 0x8000) {
@ -246,6 +251,7 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
} }
line_ptr = frame; line_ptr = frame;
frame += width; frame += width;
y++;
while (segments--) { while (segments--) {
if (frame - line_ptr <= bytestream2_peek_byte(gb)) if (frame - line_ptr <= bytestream2_peek_byte(gb))
return -1; return -1;