mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-03 05:10:03 +02:00
avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer
Fixes out of array access
Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f7e1367f58
)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
87e2a689a8
commit
dfce316c12
@ -37,16 +37,14 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
|
||||
unsigned char extra_byte, odd_pixel;
|
||||
unsigned char stream_byte;
|
||||
unsigned int pixel_ptr = 0;
|
||||
int row_dec = pic->linesize[0];
|
||||
int row_ptr = (avctx->height - 1) * row_dec;
|
||||
int frame_size = row_dec * avctx->height;
|
||||
int line = avctx->height - 1;
|
||||
int i;
|
||||
|
||||
while (row_ptr >= 0) {
|
||||
while (line >= 0 && pixel_ptr <= avctx->width) {
|
||||
if (bytestream2_get_bytes_left(gb) <= 0) {
|
||||
av_log(avctx, AV_LOG_ERROR,
|
||||
"MS RLE: bytestream overrun, %d rows left\n",
|
||||
row_ptr);
|
||||
"MS RLE: bytestream overrun, %dx%d left\n",
|
||||
avctx->width - pixel_ptr, line);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
rle_code = stream_byte = bytestream2_get_byteu(gb);
|
||||
@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
|
||||
stream_byte = bytestream2_get_byte(gb);
|
||||
if (stream_byte == 0) {
|
||||
/* line is done, goto the next one */
|
||||
row_ptr -= row_dec;
|
||||
line--;
|
||||
pixel_ptr = 0;
|
||||
} else if (stream_byte == 1) {
|
||||
/* decode is done */
|
||||
@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
|
||||
stream_byte = bytestream2_get_byte(gb);
|
||||
pixel_ptr += stream_byte;
|
||||
stream_byte = bytestream2_get_byte(gb);
|
||||
row_ptr -= stream_byte * row_dec;
|
||||
} else {
|
||||
// copy pixels from encoded stream
|
||||
odd_pixel = stream_byte & 1;
|
||||
rle_code = (stream_byte + 1) / 2;
|
||||
extra_byte = rle_code & 0x01;
|
||||
if (row_ptr + pixel_ptr + stream_byte > frame_size ||
|
||||
if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width ||
|
||||
bytestream2_get_bytes_left(gb) < rle_code) {
|
||||
av_log(avctx, AV_LOG_ERROR,
|
||||
"MS RLE: frame/stream ptr just went out of bounds (copy)\n");
|
||||
@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
|
||||
if (pixel_ptr >= avctx->width)
|
||||
break;
|
||||
stream_byte = bytestream2_get_byteu(gb);
|
||||
pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
|
||||
pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
|
||||
pixel_ptr++;
|
||||
if (i + 1 == rle_code && odd_pixel)
|
||||
break;
|
||||
if (pixel_ptr >= avctx->width)
|
||||
break;
|
||||
pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
|
||||
pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
|
||||
pixel_ptr++;
|
||||
}
|
||||
|
||||
@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
|
||||
}
|
||||
} else {
|
||||
// decode a run of data
|
||||
if (row_ptr + pixel_ptr + stream_byte > frame_size) {
|
||||
if (pixel_ptr + rle_code > avctx->width + 1) {
|
||||
av_log(avctx, AV_LOG_ERROR,
|
||||
"MS RLE: frame ptr just went out of bounds (run)\n");
|
||||
return AVERROR_INVALIDDATA;
|
||||
@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
|
||||
if (pixel_ptr >= avctx->width)
|
||||
break;
|
||||
if ((i & 1) == 0)
|
||||
pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
|
||||
pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
|
||||
else
|
||||
pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
|
||||
pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
|
||||
pixel_ptr++;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user