dsicinvideo: validate buffer offset before copying pixels.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c95fefa042)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Ronald S. Bultje 2012-03-11 07:28:54 -07:00 committed by Reinhard Tartler
parent 99536be9d4
commit 311361348d

View File

@ -145,11 +145,11 @@ static int cin_decode_huffman(const unsigned char *src, int src_size, unsigned c
return dst_cur - dst; return dst_cur - dst;
} }
static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) static int cin_decode_lzss(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
{ {
uint16_t cmd; uint16_t cmd;
int i, sz, offset, code; int i, sz, offset, code;
unsigned char *dst_end = dst + dst_size; unsigned char *dst_end = dst + dst_size, *dst_start = dst;
const unsigned char *src_end = src + src_size; const unsigned char *src_end = src + src_size;
while (src < src_end && dst < dst_end) { while (src < src_end && dst < dst_end) {
@ -160,6 +160,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
} else { } else {
cmd = AV_RL16(src); src += 2; cmd = AV_RL16(src); src += 2;
offset = cmd >> 4; offset = cmd >> 4;
if ((int) (dst - dst_start) < offset + 1)
return AVERROR_INVALIDDATA;
sz = (cmd & 0xF) + 2; sz = (cmd & 0xF) + 2;
/* don't use memcpy/memmove here as the decoding routine (ab)uses */ /* don't use memcpy/memmove here as the decoding routine (ab)uses */
/* buffer overlappings to repeat bytes in the destination */ /* buffer overlappings to repeat bytes in the destination */
@ -171,6 +173,8 @@ static void cin_decode_lzss(const unsigned char *src, int src_size, unsigned cha
} }
} }
} }
return 0;
} }
static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size) static void cin_decode_rle(const unsigned char *src, int src_size, unsigned char *dst, int dst_size)
@ -200,13 +204,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size; int buf_size = avpkt->size;
CinVideoContext *cin = avctx->priv_data; CinVideoContext *cin = avctx->priv_data;
int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size; int i, y, palette_type, palette_colors_count, bitmap_frame_type, bitmap_frame_size, res = 0;
cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &cin->frame)) {
av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
return -1;
}
palette_type = buf[0]; palette_type = buf[0];
palette_colors_count = AV_RL16(buf+1); palette_colors_count = AV_RL16(buf+1);
@ -232,8 +230,6 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
bitmap_frame_size -= 4; bitmap_frame_size -= 4;
} }
} }
memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
cin->frame.palette_has_changed = 1;
/* note: the decoding routines below assumes that surface.width = surface.pitch */ /* note: the decoding routines below assumes that surface.width = surface.pitch */
switch (bitmap_frame_type) { switch (bitmap_frame_type) {
@ -266,17 +262,31 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
break; break;
case 38: case 38:
cin_decode_lzss(buf, bitmap_frame_size, res = cin_decode_lzss(buf, bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin->bitmap_table[CIN_CUR_BMP],
cin->bitmap_size);
if (res < 0)
return res;
break; break;
case 39: case 39:
cin_decode_lzss(buf, bitmap_frame_size, res = cin_decode_lzss(buf, bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin->bitmap_table[CIN_CUR_BMP],
cin->bitmap_size);
if (res < 0)
return res;
cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
break; break;
} }
cin->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
if (avctx->reget_buffer(avctx, &cin->frame)) {
av_log(cin->avctx, AV_LOG_ERROR, "delphinecinvideo: reget_buffer() failed to allocate a frame\n");
return -1;
}
memcpy(cin->frame.data[1], cin->palette, sizeof(cin->palette));
cin->frame.palette_has_changed = 1;
for (y = 0; y < cin->avctx->height; ++y) for (y = 0; y < cin->avctx->height; ++y)
memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0], memcpy(cin->frame.data[0] + (cin->avctx->height - 1 - y) * cin->frame.linesize[0],
cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width, cin->bitmap_table[CIN_CUR_BMP] + y * cin->avctx->width,