virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-10 06:10:52 +02:00
Code Issues Releases Activity

bink: Check for various out of bound writes

Browse Source 
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This commit is contained in:
Laurent Aimar
2011-09-27 12:16:41 +00:00
committed by Janne Grunau
parent 24adf7832b
commit a00676e48e
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
libavcodec/bink.c
View File

@@ -344,14 +344,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle *
memset(b->cur_dec, v, t); memset(b->cur_dec, v, t);
b->cur_dec += t; b->cur_dec += t;
} else { } else {
do { while (b->cur_dec < dec_end) {
v = GET_HUFF(gb, b->tree); v = GET_HUFF(gb, b->tree);
if (v) { if (v) {
sign = -get_bits1(gb); sign = -get_bits1(gb);
v = (v ^ sign) - sign; v = (v ^ sign) - sign;
} }
*b->cur_dec++ = v; *b->cur_dec++ = v;
} while (b->cur_dec < dec_end); }
} }
return 0; return 0;
} }
@@ -375,7 +375,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
memset(b->cur_dec, v, t); memset(b->cur_dec, v, t);
b->cur_dec += t; b->cur_dec += t;
} else { } else {
do { while (b->cur_dec < dec_end) {
v = GET_HUFF(gb, b->tree); v = GET_HUFF(gb, b->tree);
if (v < 12) { if (v < 12) {
last = v; last = v;
@@ -383,10 +383,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
} else { } else {
int run = bink_rlelens[v - 12]; int run = bink_rlelens[v - 12];
if (dec_end - b->cur_dec < run)
return -1;
memset(b->cur_dec, last, run); memset(b->cur_dec, last, run);
b->cur_dec += run; b->cur_dec += run;
} }
} while (b->cur_dec < dec_end); }
} }
return 0; return 0;
} }
@@ -456,7 +458,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
int start_bits, int has_sign) int start_bits, int has_sign)
{ {
int i, j, len, len2, bsize, sign, v, v2; int i, j, len, len2, bsize, sign, v, v2;
int16_t *dst = (int16_t*)b->cur_dec; int16_t *dst = (int16_t*)b->cur_dec;
int16_t *dst_end = (int16_t*)b->data_end;
CHECK_READ_VAL(gb, b, len); CHECK_READ_VAL(gb, b, len);
v = get_bits(gb, start_bits - has_sign); v = get_bits(gb, start_bits - has_sign);
@@ -464,10 +467,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
sign = -get_bits1(gb); sign = -get_bits1(gb);
v = (v ^ sign) - sign; v = (v ^ sign) - sign;
} }
if (dst_end - dst < 1)
return -1;
*dst++ = v; *dst++ = v;
len--; len--;
for (i = 0; i < len; i += 8) { for (i = 0; i < len; i += 8) {
len2 = FFMIN(len - i, 8); len2 = FFMIN(len - i, 8);
if (dst_end - dst < len2)
return -1;
bsize = get_bits(gb, 4); bsize = get_bits(gb, 4);
if (bsize) { if (bsize) {
for (j = 0; j < len2; j++) { for (j = 0; j < len2; j++) {
@@ -535,6 +542,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num)
int i, len; int i, len;
CHECK_READ_VAL(gb, b, len); CHECK_READ_VAL(gb, b, len);
if (b->data_end - b->cur_dec < len * (1 + (bits > 8)))
return -1;
if (bits <= 8) { if (bits <= 8) {
if (!issigned) { if (!issigned) {
for (i = 0; i < len; i++) for (i = 0; i < len; i++)