mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
security fixes
* check for writing to lines -1,-2,... * check for motion compensation (copying from and to valid place) patch by (Kostya: kostya shishkov, gmail com) Originally committed as revision 4508 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
parent
9c633e9a6f
commit
f63166f8df
@ -40,11 +40,13 @@ static void qpeg_decode_intra(uint8_t *src, uint8_t *dst, int size,
|
|||||||
int c0, c1;
|
int c0, c1;
|
||||||
int run, copy;
|
int run, copy;
|
||||||
int filled = 0;
|
int filled = 0;
|
||||||
|
int rows_to_go;
|
||||||
|
|
||||||
|
rows_to_go = height;
|
||||||
height--;
|
height--;
|
||||||
dst = dst + height * stride;
|
dst = dst + height * stride;
|
||||||
|
|
||||||
while(size > 0) {
|
while((size > 0) && (rows_to_go > 0)) {
|
||||||
code = *src++;
|
code = *src++;
|
||||||
size--;
|
size--;
|
||||||
run = copy = 0;
|
run = copy = 0;
|
||||||
@ -85,17 +87,23 @@ static void qpeg_decode_intra(uint8_t *src, uint8_t *dst, int size,
|
|||||||
if (filled >= width) {
|
if (filled >= width) {
|
||||||
filled = 0;
|
filled = 0;
|
||||||
dst -= stride;
|
dst -= stride;
|
||||||
|
rows_to_go--;
|
||||||
|
if(rows_to_go <= 0)
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
size -= copy;
|
||||||
for(i = 0; i < copy; i++) {
|
for(i = 0; i < copy; i++) {
|
||||||
dst[filled++] = *src++;
|
dst[filled++] = *src++;
|
||||||
if (filled >= width) {
|
if (filled >= width) {
|
||||||
filled = 0;
|
filled = 0;
|
||||||
dst -= stride;
|
dst -= stride;
|
||||||
|
rows_to_go--;
|
||||||
|
if(rows_to_go <= 0)
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
size -= copy;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -113,17 +121,19 @@ static void qpeg_decode_inter(uint8_t *src, uint8_t *dst, int size,
|
|||||||
int i, j;
|
int i, j;
|
||||||
int code;
|
int code;
|
||||||
int filled = 0;
|
int filled = 0;
|
||||||
|
int orig_height;
|
||||||
uint8_t *blkdata;
|
uint8_t *blkdata;
|
||||||
|
|
||||||
/* copy prev frame */
|
/* copy prev frame */
|
||||||
for(i = 0; i < height; i++)
|
for(i = 0; i < height; i++)
|
||||||
memcpy(refdata + (i * width), dst + (i * stride), width);
|
memcpy(refdata + (i * width), dst + (i * stride), width);
|
||||||
|
|
||||||
|
orig_height = height;
|
||||||
blkdata = src - 0x86;
|
blkdata = src - 0x86;
|
||||||
height--;
|
height--;
|
||||||
dst = dst + height * stride;
|
dst = dst + height * stride;
|
||||||
|
|
||||||
while(size > 0) {
|
while((size > 0) && (height >= 0)) {
|
||||||
code = *src++;
|
code = *src++;
|
||||||
size--;
|
size--;
|
||||||
|
|
||||||
@ -155,11 +165,19 @@ static void qpeg_decode_inter(uint8_t *src, uint8_t *dst, int size,
|
|||||||
val -= 16;
|
val -= 16;
|
||||||
me_y = val;
|
me_y = val;
|
||||||
|
|
||||||
/* do motion compensation */
|
/* check motion vector */
|
||||||
me_plane = refdata + (filled + me_x) + (height - me_y) * width;
|
if ((me_x + filled < 0) || (me_x + me_w + filled > width) ||
|
||||||
for(j = 0; j < me_h; j++) {
|
(height - me_y - me_h < 0) || (height - me_y > orig_height) ||
|
||||||
for(i = 0; i < me_w; i++)
|
(filled + me_w > width) || (height - me_h < 0))
|
||||||
dst[filled + i - (j * stride)] = me_plane[i - (j * width)];
|
av_log(NULL, AV_LOG_ERROR, "Bogus motion vector (%i,%i), block size %ix%i at %i,%i\n",
|
||||||
|
me_x, me_y, me_w, me_h, filled, height);
|
||||||
|
else {
|
||||||
|
/* do motion compensation */
|
||||||
|
me_plane = refdata + (filled + me_x) + (height - me_y) * width;
|
||||||
|
for(j = 0; j < me_h; j++) {
|
||||||
|
for(i = 0; i < me_w; i++)
|
||||||
|
dst[filled + i - (j * stride)] = me_plane[i - (j * width)];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
code = *src++;
|
code = *src++;
|
||||||
@ -212,6 +230,8 @@ static void qpeg_decode_inter(uint8_t *src, uint8_t *dst, int size,
|
|||||||
filled -= width;
|
filled -= width;
|
||||||
dst -= stride;
|
dst -= stride;
|
||||||
height--;
|
height--;
|
||||||
|
if(height < 0)
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* zero code treated as one-pixel skip */
|
/* zero code treated as one-pixel skip */
|
||||||
|
Loading…
Reference in New Issue
Block a user