virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00
Code Issues Releases Activity

msrledec: fix output_end checks

Browse Source 
Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-03-05 02:19:12 +01:00
parent 3dbc0ff9c3
commit e398990eb8
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/msrledec.c
View File

@ -138,7 +138,8 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3); unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3);
output = pic->data[0] + (avctx->height - 1) * pic->linesize[0]; output = pic->data[0] + (avctx->height - 1) * pic->linesize[0];
output_end = pic->data[0] + avctx->height * pic->linesize[0]; output_end = output + FFABS(pic->linesize[0]);
while (bytestream2_get_bytes_left(gb) > 0) { while (bytestream2_get_bytes_left(gb) > 0) {
p1 = bytestream2_get_byteu(gb); p1 = bytestream2_get_byteu(gb);
if(p1 == 0) { //Escape code if(p1 == 0) { //Escape code
@ -155,6 +156,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
} }
} }
output = pic->data[0] + line * pic->linesize[0]; output = pic->data[0] + line * pic->linesize[0];
output_end = output + FFABS(pic->linesize[0]);
pos = 0; pos = 0;
continue; continue;
} else if(p2 == 1) { //End-of-picture } else if(p2 == 1) { //End-of-picture
@ -169,11 +171,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
return -1; return -1;
} }
output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3); output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3);
output_end = pic->data[0] + line * pic->linesize[0] + FFABS(pic->linesize[0]);
continue; continue;
} }
// Copy data // Copy data
if ((pic->linesize[0] > 0 && output + p2 * (depth >> 3) > output_end) || if (output + p2 * (depth >> 3) > output_end) {
(pic->linesize[0] < 0 && output + p2 * (depth >> 3) < output_end)) {
bytestream2_skip(gb, 2 * (depth >> 3)); bytestream2_skip(gb, 2 * (depth >> 3));
continue; continue;
} else if (bytestream2_get_bytes_left(gb) < p2 * (depth >> 3)) { } else if (bytestream2_get_bytes_left(gb) < p2 * (depth >> 3)) {
@ -203,8 +205,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic,
pos += p2; pos += p2;
} else { //run of pixels } else { //run of pixels
uint8_t pix[3]; //original pixel uint8_t pix[3]; //original pixel
if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || if (output + p1 * (depth >> 3) > output_end)
(pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end))
continue; continue;
switch(depth){ switch(depth){