virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00
Code Issues Releases Activity

xan: Only read within the data that actually was initialized

Browse Source 
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
This commit is contained in:
Martin Storsjö 2013-09-29 00:59:50 +03:00
parent 30db94dc39
commit fc739b3eef
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/xan.c
View File

@ -103,6 +103,7 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
int ptr_len = src_len - 1 - byte*2; int ptr_len = src_len - 1 - byte*2;
unsigned char val = ival; unsigned char val = ival;
unsigned char *dest_end = dest + dest_len; unsigned char *dest_end = dest + dest_len;
unsigned char *dest_start = dest;
GetBitContext gb; GetBitContext gb;
if (ptr_len < 0) if (ptr_len < 0)
@ -118,13 +119,13 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
if (val < 0x16) { if (val < 0x16) {
if (dest >= dest_end) if (dest >= dest_end)
return 0; return dest_len;
*dest++ = val; *dest++ = val;
val = ival; val = ival;
} }
} }
return 0; return dest - dest_start;
} }
/** /**
@ -278,7 +279,7 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
unsigned char flag = 0; unsigned char flag = 0;
int size = 0; int size = 0;
int motion_x, motion_y; int motion_x, motion_y;
int x, y; int x, y, ret;
unsigned char *opcode_buffer = s->buffer1; unsigned char *opcode_buffer = s->buffer1;
unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size; unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size;
@ -312,9 +313,10 @@ static int xan_wc3_decode_frame(XanContext *s, AVFrame *frame)
bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset); bytestream2_init(&vector_segment, s->buf + vector_offset, s->size - vector_offset);
imagedata_segment = s->buf + imagedata_offset; imagedata_segment = s->buf + imagedata_offset;
if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, if ((ret = xan_huffman_decode(opcode_buffer, opcode_buffer_size,
huffman_segment, s->size - huffman_offset) < 0) huffman_segment, s->size - huffman_offset)) < 0)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
opcode_buffer_end = opcode_buffer + ret;
if (imagedata_segment[0] == 2) { if (imagedata_segment[0] == 2) {
xan_unpack(s->buffer2, s->buffer2_size, xan_unpack(s->buffer2, s->buffer2_size,