mirror of https://git.ffmpeg.org/ffmpeg.git
Merge commit '7ebdffc353f3f0827864e8e3461fdc00cc243b14'
* commit '7ebdffc353f3f0827864e8e3461fdc00cc243b14': dxv: Check to make sure we don't overrun buffers on corrupt inputs Merged-by: Clément Bœsch <u@pkh.me>
This commit is contained in:
commit
d96f6df3a6
|
@ -133,7 +133,7 @@ static int dxv_decompress_dxt1(AVCodecContext *avctx)
|
||||||
AV_WL32(ctx->tex_data + 4, bytestream2_get_le32(gbc));
|
AV_WL32(ctx->tex_data + 4, bytestream2_get_le32(gbc));
|
||||||
|
|
||||||
/* Process input until the whole texture has been filled */
|
/* Process input until the whole texture has been filled */
|
||||||
while (pos < ctx->tex_size / 4) {
|
while (pos + 2 <= ctx->tex_size / 4) {
|
||||||
CHECKPOINT(2);
|
CHECKPOINT(2);
|
||||||
|
|
||||||
/* Copy two elements from a previous offset or from the input buffer */
|
/* Copy two elements from a previous offset or from the input buffer */
|
||||||
|
@ -186,7 +186,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
|
||||||
AV_WL32(ctx->tex_data + 12, bytestream2_get_le32(gbc));
|
AV_WL32(ctx->tex_data + 12, bytestream2_get_le32(gbc));
|
||||||
|
|
||||||
/* Process input until the whole texture has been filled */
|
/* Process input until the whole texture has been filled */
|
||||||
while (pos < ctx->tex_size / 4) {
|
while (pos + 2 <= ctx->tex_size / 4) {
|
||||||
if (run) {
|
if (run) {
|
||||||
run--;
|
run--;
|
||||||
|
|
||||||
|
@ -215,7 +215,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
|
||||||
check += probe;
|
check += probe;
|
||||||
} while (probe == 0xFFFF);
|
} while (probe == 0xFFFF);
|
||||||
}
|
}
|
||||||
while (check && pos < ctx->tex_size / 4) {
|
while (check && pos + 4 <= ctx->tex_size / 4) {
|
||||||
prev = AV_RL32(ctx->tex_data + 4 * (pos - 4));
|
prev = AV_RL32(ctx->tex_data + 4 * (pos - 4));
|
||||||
AV_WL32(ctx->tex_data + 4 * pos, prev);
|
AV_WL32(ctx->tex_data + 4 * pos, prev);
|
||||||
pos++;
|
pos++;
|
||||||
|
@ -260,10 +260,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
|
||||||
case 2:
|
case 2:
|
||||||
/* Copy two dwords from a previous index */
|
/* Copy two dwords from a previous index */
|
||||||
idx = 8 + bytestream2_get_le16(gbc);
|
idx = 8 + bytestream2_get_le16(gbc);
|
||||||
if (idx > pos) {
|
if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
|
||||||
av_log(avctx, AV_LOG_ERROR, "idx %d > %d\n", idx, pos);
|
|
||||||
return AVERROR_INVALIDDATA;
|
return AVERROR_INVALIDDATA;
|
||||||
}
|
|
||||||
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
|
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
|
||||||
AV_WL32(ctx->tex_data + 4 * pos, prev);
|
AV_WL32(ctx->tex_data + 4 * pos, prev);
|
||||||
pos++;
|
pos++;
|
||||||
|
@ -286,9 +284,13 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
|
||||||
}
|
}
|
||||||
|
|
||||||
CHECKPOINT(4);
|
CHECKPOINT(4);
|
||||||
|
if (pos + 2 > ctx->tex_size / 4)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
/* Copy two elements from a previous offset or from the input buffer */
|
/* Copy two elements from a previous offset or from the input buffer */
|
||||||
if (op) {
|
if (op) {
|
||||||
|
if (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
|
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
|
||||||
AV_WL32(ctx->tex_data + 4 * pos, prev);
|
AV_WL32(ctx->tex_data + 4 * pos, prev);
|
||||||
pos++;
|
pos++;
|
||||||
|
@ -299,6 +301,8 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
|
||||||
} else {
|
} else {
|
||||||
CHECKPOINT(4);
|
CHECKPOINT(4);
|
||||||
|
|
||||||
|
if (op && (idx > pos || (unsigned int)(pos - idx) + 2 > ctx->tex_size / 4))
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
if (op)
|
if (op)
|
||||||
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
|
prev = AV_RL32(ctx->tex_data + 4 * (pos - idx));
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue