virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

diracdec: Fix integer overflow leading to out of global array read.

Browse Source 
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2012-01-29 03:38:58 +01:00
parent d2a47c9473
commit 9729f140ae
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/diracdec.c
View File

@ -1172,7 +1172,7 @@ static void propagate_block_data(DiracBlock *block, int stride, int size)
* Dirac Specification ->
* 12. Block motion data syntax
*/
static void dirac_unpack_block_motion_data(DiracContext *s)
static int dirac_unpack_block_motion_data(DiracContext *s)
{
GetBitContext *gb = &s->gb;
uint8_t *sbsplit = s->sbsplit;
@ -1192,7 +1192,9 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
ff_dirac_init_arith_decoder(arith, gb, svq3_get_ue_golomb(gb)); /* svq3_get_ue_golomb(gb) is the length */
for (y = 0; y < s->sbheight; y++) {
for (x = 0; x < s->sbwidth; x++) {
int split = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
unsigned int split = dirac_get_arith_uint(arith, CTX_SB_F1, CTX_SB_DATA);
if (split > 2)
return -1;
sbsplit[x] = (split + pred_sbsplit(sbsplit+x, s->sbwidth, x, y)) % 3;
}
sbsplit += s->sbwidth;
@ -1221,6 +1223,8 @@ static void dirac_unpack_block_motion_data(DiracContext *s)
propagate_block_data(block, s->blwidth, step);
}
}
return 0;
}
static int weight(int i, int blen, int offset)
@ -1675,7 +1679,8 @@ static int dirac_decode_picture_header(DiracContext *s)
if (s->num_refs) {
if (dirac_unpack_prediction_parameters(s)) /* [DIRAC_STD] 11.2 Picture Prediction Data. picture_prediction() */
return -1;
dirac_unpack_block_motion_data(s); /* [DIRAC_STD] 12. Block motion data syntax */
if (dirac_unpack_block_motion_data(s)) /* [DIRAC_STD] 12. Block motion data syntax */
return -1;
}
if (dirac_unpack_idwt_params(s)) /* [DIRAC_STD] 11.3 Wavelet transform data */
return -1;