virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-03-03 14:32:16 +02:00
Code Issues Releases Activity

wc4: fix out of chroma LUT reads

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-03-04 00:13:52 +01:00
parent cd0cfdc0a7
commit 8f1bb3d598
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/xxan.c
View File

@ -162,6 +162,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
int i, j; int i, j;
const uint8_t *src, *src_end; const uint8_t *src, *src_end;
const uint8_t *table; const uint8_t *table;
int table_size;
int mode, offset, dec_size; int mode, offset, dec_size;
chroma_off = AV_RL32(buf + 4); chroma_off = AV_RL32(buf + 4);
@ -173,6 +174,7 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
} }
src = avpkt->data + 4 + chroma_off; src = avpkt->data + 4 + chroma_off;
table = src + 2; table = src + 2;
table_size = avpkt->data + avpkt->size - table;
mode = bytestream_get_le16(&src); mode = bytestream_get_le16(&src);
offset = bytestream_get_le16(&src) * 2; offset = bytestream_get_le16(&src) * 2;
@ -200,6 +202,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
return 0; return 0;
val = *src++; val = *src++;
if (val) { if (val) {
if (val << 1 >= table_size)
return AVERROR_INVALIDDATA;
val = AV_RL16(table + (val << 1)); val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8; uval = (val >> 3) & 0xF8;
vval = (val >> 8) & 0xF8; vval = (val >> 8) & 0xF8;
@ -220,6 +224,8 @@ static int xan_decode_chroma(AVCodecContext *avctx, AVPacket *avpkt)
return 0; return 0;
val = *src++; val = *src++;
if (val) { if (val) {
if (val << 1 >= table_size)
return AVERROR_INVALIDDATA;
val = AV_RL16(table + (val << 1)); val = AV_RL16(table + (val << 1));
uval = (val >> 3) & 0xF8; uval = (val >> 3) & 0xF8;
vval = (val >> 8) & 0xF8; vval = (val >> 8) & 0xF8;