vcr1: add sanity checks

Fixes invalid reads with corrupted files. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
2025-01-08 13:22:53 +02:00 · 2013-08-24 21:30:46 +02:00 · 2013-08-24 21:30:46 +02:00 · 8aba7968dd
commit 8aba7968dd
parent 21ffd41011
1 changed files with 21 additions and 0 deletions
--- a/libavcodec/vcr1.c
+++ b/libavcodec/vcr1.c
@ -37,6 +37,11 @@ static av_cold int vcr1_decode_init(AVCodecContext *avctx)
 {
    avctx->pix_fmt = AV_PIX_FMT_YUV410P;

+    if (avctx->width & 7) {
+        av_log(avctx, AV_LOG_ERROR, "Width %d is not divisble by 8.\n", avctx->width);
+        return AVERROR_INVALIDDATA;
+    }
+
    return 0;
 }

@ -57,9 +62,13 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
    p->pict_type = AV_PICTURE_TYPE_I;
    p->key_frame = 1;

+    if (buf_size < 32)
+        goto packet_small;
+
    for (i = 0; i < 16; i++) {
        a->delta[i] = *bytestream++;
        bytestream++;
+        buf_size--;
    }

    for (y = 0; y < avctx->height; y++) {
@ -70,8 +79,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
            uint8_t *cb = &p->data[1][(y >> 2) * p->linesize[1]];
            uint8_t *cr = &p->data[2][(y >> 2) * p->linesize[2]];

+            if (buf_size < 4 + avctx->width)
+                goto packet_small;
+
            for (i = 0; i < 4; i++)
                a->offset[i] = *bytestream++;
+            buf_size -= 4;

            offset = a->offset[0] - a->delta[bytestream[2] & 0xF];
            for (x = 0; x < avctx->width; x += 4) {
@ -85,8 +98,12 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
                *cr++       = bytestream[1];

                bytestream += 4;
+                buf_size   -= 4;
            }
        } else {
+            if (buf_size < avctx->width / 2)
+                goto packet_small;
+
            offset = a->offset[y & 3] - a->delta[bytestream[2] & 0xF];

            for (x = 0; x < avctx->width; x += 8) {
@ -100,6 +117,7 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
                luma[7]     = offset += a->delta[bytestream[1] >>  4];
                luma       += 8;
                bytestream += 4;
+                buf_size   -= 4;
            }
        }
    }
@ -107,6 +125,9 @@ static int vcr1_decode_frame(AVCodecContext *avctx, void *data,
    *got_frame = 1;

    return buf_size;
+packet_small:
+    av_log(avctx, AV_LOG_ERROR, "Input packet too small.\n");
+    return AVERROR_INVALIDDATA;
 }

 AVCodec ff_vcr1_decoder = {