virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

lagarith: Fix various issues that lead to out of array reads.

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-03-28 06:41:13 +02:00
parent 44bd50f529
commit 96d0494123
1 changed files with 27 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
libavcodec/lagarith.c
View File

@ -311,7 +311,7 @@ handle_zeros:
} }
static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
const uint8_t *src, int width, const uint8_t *src, const uint8_t *srcend, int width,
int esc_count) int esc_count)
{ {
int i = 0; int i = 0;
@ -334,6 +334,8 @@ output_zeros:
i = 0; i = 0;
while (!zero_run && dst + i < end) { while (!zero_run && dst + i < end) {
i++; i++;
if (i+2 >= srcend - src)
return src - start;
zero_run = zero_run =
!(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2)); !(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2));
} }
@ -364,15 +366,22 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst,
int read = 0; int read = 0;
uint32_t length; uint32_t length;
uint32_t offset = 1; uint32_t offset = 1;
int esc_count = src[0]; int esc_count;
GetBitContext gb; GetBitContext gb;
lag_rac rac; lag_rac rac;
const uint8_t *srcend = src + src_size;
rac.avctx = l->avctx; rac.avctx = l->avctx;
l->zeros = 0; l->zeros = 0;
if(src_size < 2)
return AVERROR_INVALIDDATA;
esc_count = src[0];
if (esc_count < 4) { if (esc_count < 4) {
length = width * height; length = width * height;
if(src_size < 5)
return AVERROR_INVALIDDATA;
if (esc_count && AV_RL32(src + 1) < length) { if (esc_count && AV_RL32(src + 1) < length) {
length = AV_RL32(src + 1); length = AV_RL32(src + 1);
offset += 4; offset += 4;
@ -398,9 +407,11 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst,
if (esc_count > 0) { if (esc_count > 0) {
/* Zero run coding only, no range coding. */ /* Zero run coding only, no range coding. */
for (i = 0; i < height; i++) for (i = 0; i < height; i++)
src += lag_decode_zero_run_line(l, dst + (i * stride), src, src += lag_decode_zero_run_line(l, dst + (i * stride), src, srcend,
width, esc_count); width, esc_count);
} else { } else {
if (src_size < height * width)
return -1;
/* Plane is stored uncompressed */ /* Plane is stored uncompressed */
for (i = 0; i < height; i++) { for (i = 0; i < height; i++) {
memcpy(dst + (i * stride), src, width); memcpy(dst + (i * stride), src, width);
@ -441,7 +452,7 @@ static int lag_decode_frame(AVCodecContext *avctx,
void *data, int *data_size, AVPacket *avpkt) void *data, int *data_size, AVPacket *avpkt)
{ {
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size; unsigned int buf_size = avpkt->size;
LagarithContext *l = avctx->priv_data; LagarithContext *l = avctx->priv_data;
AVFrame *const p = &l->picture; AVFrame *const p = &l->picture;
uint8_t frametype = 0; uint8_t frametype = 0;
@ -507,11 +518,15 @@ static int lag_decode_frame(AVCodecContext *avctx,
} }
for (i = 0; i < planes; i++) for (i = 0; i < planes; i++)
srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;
for (i = 0; i < planes; i++) for (i = 0; i < planes; i++) {
if (buf_size <= offs[i]) {
return AVERROR_INVALIDDATA;
}
lag_decode_arith_plane(l, srcs[i], lag_decode_arith_plane(l, srcs[i],
avctx->width, avctx->height, avctx->width, avctx->height,
-l->rgb_stride, buf + offs[i], -l->rgb_stride, buf + offs[i],
buf_size); buf_size - offs[i]);
}
dst = p->data[0]; dst = p->data[0];
for (i = 0; i < planes; i++) for (i = 0; i < planes; i++)
srcs[i] = l->rgb_planes + i * l->rgb_stride * avctx->height; srcs[i] = l->rgb_planes + i * l->rgb_stride * avctx->height;
@ -544,16 +559,19 @@ static int lag_decode_frame(AVCodecContext *avctx,
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
return -1; return -1;
} }
if (buf_size <= offset_ry || buf_size <= offset_gu || buf_size <= offset_bv) {
return AVERROR_INVALIDDATA;
}
lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height, lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height,
p->linesize[0], buf + offset_ry, p->linesize[0], buf + offset_ry,
buf_size); buf_size - offset_ry);
lag_decode_arith_plane(l, p->data[2], avctx->width / 2, lag_decode_arith_plane(l, p->data[2], avctx->width / 2,
avctx->height / 2, p->linesize[2], avctx->height / 2, p->linesize[2],
buf + offset_gu, buf_size); buf + offset_gu, buf_size - offset_gu);
lag_decode_arith_plane(l, p->data[1], avctx->width / 2, lag_decode_arith_plane(l, p->data[1], avctx->width / 2,
avctx->height / 2, p->linesize[1], avctx->height / 2, p->linesize[1],
buf + offset_bv, buf_size); buf + offset_bv, buf_size - offset_bv);
break; break;
default: default:
av_log(avctx, AV_LOG_ERROR, av_log(avctx, AV_LOG_ERROR,