mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
dfa: protect pointer range checks against overflows.
This commit is contained in:
parent
a75529e81e
commit
d38345878c
@ -81,7 +81,7 @@ static int decode_tsw1(uint8_t *frame, int width, int height,
|
|||||||
v = bytestream_get_le16(&src);
|
v = bytestream_get_le16(&src);
|
||||||
offset = (v & 0x1FFF) << 1;
|
offset = (v & 0x1FFF) << 1;
|
||||||
count = ((v >> 13) + 2) << 1;
|
count = ((v >> 13) + 2) << 1;
|
||||||
if (frame - offset < frame_start || frame_end - frame < count)
|
if (frame - frame_start < offset || frame_end - frame < count)
|
||||||
return -1;
|
return -1;
|
||||||
av_memcpy_backptr(frame, offset, count);
|
av_memcpy_backptr(frame, offset, count);
|
||||||
frame += count;
|
frame += count;
|
||||||
@ -117,7 +117,7 @@ static int decode_dsw1(uint8_t *frame, int width, int height,
|
|||||||
v = bytestream_get_le16(&src);
|
v = bytestream_get_le16(&src);
|
||||||
offset = (v & 0x1FFF) << 1;
|
offset = (v & 0x1FFF) << 1;
|
||||||
count = ((v >> 13) + 2) << 1;
|
count = ((v >> 13) + 2) << 1;
|
||||||
if (frame - offset < frame_start || frame_end - frame < count)
|
if (frame - frame_start < offset || frame_end - frame < count)
|
||||||
return -1;
|
return -1;
|
||||||
// can't use av_memcpy_backptr() since it can overwrite following pixels
|
// can't use av_memcpy_backptr() since it can overwrite following pixels
|
||||||
for (v = 0; v < count; v++)
|
for (v = 0; v < count; v++)
|
||||||
@ -157,7 +157,7 @@ static int decode_dds1(uint8_t *frame, int width, int height,
|
|||||||
v = bytestream_get_le16(&src);
|
v = bytestream_get_le16(&src);
|
||||||
offset = (v & 0x1FFF) << 2;
|
offset = (v & 0x1FFF) << 2;
|
||||||
count = ((v >> 13) + 2) << 1;
|
count = ((v >> 13) + 2) << 1;
|
||||||
if (frame - offset < frame_start || frame_end - frame < count*2 + width)
|
if (frame - frame_start < offset || frame_end - frame < count*2 + width)
|
||||||
return -1;
|
return -1;
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
frame[0] = frame[1] =
|
frame[0] = frame[1] =
|
||||||
|
Loading…
Reference in New Issue
Block a user