RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

lagarith: fix buffer overreads. 

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Ronald S. Bultje 2012-03-27 12:26:46 -07:00
parent c0b34e6148
commit 0a82f5275f
2 changed files with 54 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
libavcodec/lagarith.c
View File

@ -247,14 +247,15 @@ static void lag_pred_line(LagarithContext *l, uint8_t *buf,
{ {
int L, TL; int L, TL;
/* Left pixel is actually prev_row[width] */
L = buf[width - stride - 1];
if (!line) { if (!line) {
/* Left prediction only for first line */ /* Left prediction only for first line */
L = l->dsp.add_hfyu_left_prediction(buf + 1, buf + 1, L = l->dsp.add_hfyu_left_prediction(buf + 1, buf + 1,
width - 1, buf[0]); width - 1, buf[0]);
return; } else {
} else if (line == 1) { /* Left pixel is actually prev_row[width] */
L = buf[width - stride - 1];
if (line == 1) {
/* Second line, left predict first pixel, the rest of the line is median predicted /* Second line, left predict first pixel, the rest of the line is median predicted
* NOTE: In the case of RGB this pixel is top predicted */ * NOTE: In the case of RGB this pixel is top predicted */
TL = l->avctx->pix_fmt == PIX_FMT_YUV420P ? buf[-stride] : L; TL = l->avctx->pix_fmt == PIX_FMT_YUV420P ? buf[-stride] : L;
@ -265,6 +266,7 @@ static void lag_pred_line(LagarithContext *l, uint8_t *buf,
add_lag_median_prediction(buf, buf - stride, buf, add_lag_median_prediction(buf, buf - stride, buf,
width, &L, &TL); width, &L, &TL);
}
} }
static int lag_decode_line(LagarithContext *l, lag_rac *rac, static int lag_decode_line(LagarithContext *l, lag_rac *rac,
@ -310,13 +312,13 @@ handle_zeros:
} }
static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst,
const uint8_t *src, int width, const uint8_t *src, const uint8_t *src_end,
int esc_count) int width, int esc_count)
{ {
int i = 0; int i = 0;
int count; int count;
uint8_t zero_run = 0; uint8_t zero_run = 0;
const uint8_t *start = src; const uint8_t *src_start = src;
uint8_t mask1 = -(esc_count < 2); uint8_t mask1 = -(esc_count < 2);
uint8_t mask2 = -(esc_count < 3); uint8_t mask2 = -(esc_count < 3);
uint8_t *end = dst + (width - 2); uint8_t *end = dst + (width - 2);
@ -333,6 +335,8 @@ output_zeros:
i = 0; i = 0;
while (!zero_run && dst + i < end) { while (!zero_run && dst + i < end) {
i++; i++;
if (src + i >= src_end)
return AVERROR_INVALIDDATA;
zero_run = zero_run =
!(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2)); !(src[i] | (src[i + 1] & mask1) | (src[i + 2] & mask2));
} }
@ -348,9 +352,10 @@ output_zeros:
} else { } else {
memcpy(dst, src, i); memcpy(dst, src, i);
src += i; src += i;
dst += i;
} }
} }
return start - src; return src_start - src;
} }
@ -366,6 +371,7 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst,
int esc_count = src[0]; int esc_count = src[0];
GetBitContext gb; GetBitContext gb;
lag_rac rac; lag_rac rac;
const uint8_t *src_end = src + src_size;
rac.avctx = l->avctx; rac.avctx = l->avctx;
l->zeros = 0; l->zeros = 0;
@ -396,10 +402,16 @@ static int lag_decode_arith_plane(LagarithContext *l, uint8_t *dst,
esc_count -= 4; esc_count -= 4;
if (esc_count > 0) { if (esc_count > 0) {
/* Zero run coding only, no range coding. */ /* Zero run coding only, no range coding. */
for (i = 0; i < height; i++) for (i = 0; i < height; i++) {
src += lag_decode_zero_run_line(l, dst + (i * stride), src, int res = lag_decode_zero_run_line(l, dst + (i * stride), src,
width, esc_count); src_end, width, esc_count);
if (res < 0)
return res;
src += res;
}
} else { } else {
if (src_size < width * height)
return AVERROR_INVALIDDATA; // buffer not big enough
/* Plane is stored uncompressed */ /* Plane is stored uncompressed */
for (i = 0; i < height; i++) { for (i = 0; i < height; i++) {
memcpy(dst + (i * stride), src, width); memcpy(dst + (i * stride), src, width);
@ -506,11 +518,19 @@ static int lag_decode_frame(AVCodecContext *avctx,
} }
for (i = 0; i < planes; i++) for (i = 0; i < planes; i++)
srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride; srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;
if (offset_ry >= buf_size ||
offset_gu >= buf_size ||
offset_bv >= buf_size ||
(planes == 4 && offs[3] >= buf_size)) {
av_log(avctx, AV_LOG_ERROR,
"Invalid frame offsets\n");
return AVERROR_INVALIDDATA;
}
for (i = 0; i < planes; i++) for (i = 0; i < planes; i++)
lag_decode_arith_plane(l, srcs[i], lag_decode_arith_plane(l, srcs[i],
avctx->width, avctx->height, avctx->width, avctx->height,
-l->rgb_stride, buf + offs[i], -l->rgb_stride, buf + offs[i],
buf_size); buf_size - offs[i]);
dst = p->data[0]; dst = p->data[0];
for (i = 0; i < planes; i++) for (i = 0; i < planes; i++)
srcs[i] = l->rgb_planes + i * l->rgb_stride * avctx->height; srcs[i] = l->rgb_planes + i * l->rgb_stride * avctx->height;
@ -544,15 +564,23 @@ static int lag_decode_frame(AVCodecContext *avctx,
return -1; return -1;
} }
if (offset_ry >= buf_size ||
offset_gu >= buf_size ||
offset_bv >= buf_size) {
av_log(avctx, AV_LOG_ERROR,
"Invalid frame offsets\n");
return AVERROR_INVALIDDATA;
}
lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height, lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height,
p->linesize[0], buf + offset_ry, p->linesize[0], buf + offset_ry,
buf_size); buf_size - offset_ry);
lag_decode_arith_plane(l, p->data[2], avctx->width / 2, lag_decode_arith_plane(l, p->data[2], avctx->width / 2,
avctx->height / 2, p->linesize[2], avctx->height / 2, p->linesize[2],
buf + offset_gu, buf_size); buf + offset_gu, buf_size - offset_gu);
lag_decode_arith_plane(l, p->data[1], avctx->width / 2, lag_decode_arith_plane(l, p->data[1], avctx->width / 2,
avctx->height / 2, p->linesize[1], avctx->height / 2, p->linesize[1],
buf + offset_bv, buf_size); buf + offset_bv, buf_size - offset_bv);
break; break;
default: default:
av_log(avctx, AV_LOG_ERROR, av_log(avctx, AV_LOG_ERROR,

5
libavcodec/lagarithrac.c
View File

@ -32,15 +32,16 @@
void ff_lag_rac_init(lag_rac *l, GetBitContext *gb, int length) void ff_lag_rac_init(lag_rac *l, GetBitContext *gb, int length)
{ {
int i, j; int i, j, left;
/* According to reference decoder "1st byte is garbage", /* According to reference decoder "1st byte is garbage",
* however, it gets skipped by the call to align_get_bits() * however, it gets skipped by the call to align_get_bits()
*/ */
align_get_bits(gb); align_get_bits(gb);
left = get_bits_left(gb) >> 3;
l->bytestream_start = l->bytestream_start =
l->bytestream = gb->buffer + get_bits_count(gb) / 8; l->bytestream = gb->buffer + get_bits_count(gb) / 8;
l->bytestream_end = l->bytestream_start + length; l->bytestream_end = l->bytestream_start + FFMIN(length, left);
l->range = 0x80; l->range = 0x80;
l->low = *l->bytestream >> 1; l->low = *l->bytestream >> 1;