virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-15 14:13:16 +02:00
Code Issues Releases Activity

indeo3: check motion vectors for validity

Browse Source 
Fixes null pointer dereferences in fuzzed files found by Oana Stratulat.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This commit is contained in:
Janne Grunau
2012-01-06 01:21:36 +01:00
parent b18a0cc781
commit be540e0cb3
1 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
libavcodec/indeo3.c
View File

@@ -89,6 +89,7 @@ typedef struct Indeo3DecodeContext {
const uint8_t *next_cell_data; const uint8_t *next_cell_data;
const uint8_t *last_byte; const uint8_t *last_byte;
const int8_t *mc_vectors; const int8_t *mc_vectors;
unsigned num_vectors; ///< number of motion vectors in mc_vectors
int16_t width, height; int16_t width, height;
uint32_t frame_num; ///< current frame number (zero-based) uint32_t frame_num; ///< current frame number (zero-based)
@@ -764,10 +765,16 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
break; break;
case INTER_DATA: case INTER_DATA:
if (!curr_cell.tree) { /* MC tree INTER code */ if (!curr_cell.tree) { /* MC tree INTER code */
unsigned mv_idx;
/* get motion vector index and setup the pointer to the mv set */ /* get motion vector index and setup the pointer to the mv set */
if (!ctx->need_resync) if (!ctx->need_resync)
ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3]; ctx->next_cell_data = &ctx->gb.buffer[(get_bits_count(&ctx->gb) + 7) >> 3];
curr_cell.mv_ptr = &ctx->mc_vectors[*(ctx->next_cell_data++) << 1]; mv_idx = *(ctx->next_cell_data++) << 1;
if (mv_idx >= ctx->num_vectors) {
av_log(avctx, AV_LOG_ERROR, "motion vector index out of range\n");
return AVERROR_INVALIDDATA;
}
curr_cell.mv_ptr = &ctx->mc_vectors[mv_idx];
curr_cell.tree = 1; /* enter the VQ tree */ curr_cell.tree = 1; /* enter the VQ tree */
UPDATE_BITPOS(8); UPDATE_BITPOS(8);
} else { /* VQ tree DATA code */ } else { /* VQ tree DATA code */
@@ -797,15 +804,22 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
int32_t strip_width) int32_t strip_width)
{ {
Cell curr_cell; Cell curr_cell;
int num_vectors; unsigned num_vectors;
/* each plane data starts with mc_vector_count field, */ /* each plane data starts with mc_vector_count field, */
/* an optional array of motion vectors followed by the vq data */ /* an optional array of motion vectors followed by the vq data */
num_vectors = bytestream_get_le32(&data); num_vectors = bytestream_get_le32(&data);
ctx->mc_vectors = num_vectors ? data : 0; if (num_vectors > 256) {
av_log(ctx->avctx, AV_LOG_ERROR,
"Read invalid number of motion vectors %d\n", num_vectors);
return AVERROR_INVALIDDATA;
}
if (num_vectors * 2 >= data_size) if (num_vectors * 2 >= data_size)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
ctx->num_vectors = num_vectors;
ctx->mc_vectors = num_vectors ? data : 0;
/* init the bitreader */ /* init the bitreader */
init_get_bits(&ctx->gb, &data[num_vectors * 2], (data_size - num_vectors * 2) << 3); init_get_bits(&ctx->gb, &data[num_vectors * 2], (data_size - num_vectors * 2) << 3);
ctx->skip_bits = 0; ctx->skip_bits = 0;