eatgv: fix pointer arithmetic overflows.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2011-10-08 23:40:28 +02:00 · 2011-10-08 23:40:28 +02:00 · 6bfe0d4c3d
parent 09302a897d
commit 6bfe0d4c3d
1 changed files with 15 additions and 10 deletions
--- a/libavcodec/eatgv.c
+++ b/libavcodec/eatgv.c
@ -74,7 +74,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
    else
        src += 2;

-    if (src+3>src_end)
+    if (src_end - src < 3)
        return -1;
    size = AV_RB24(src);
    src += 3;
@ -138,7 +138,7 @@ static int unpack(const uint8_t *src, const uint8_t *src_end, unsigned char *dst
 * @return 0 on success, -1 on critical buffer underflow
 */
 static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *buf_end){
-    unsigned char *frame0_end = s->last_frame.data[0] + s->avctx->height*s->last_frame.linesize[0];
+    unsigned last_frame_size = s->avctx->height*s->last_frame.linesize[0];
    int num_mvs;
    int num_blocks_raw;
    int num_blocks_packed;
@ -148,7 +148,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
    int mvbits;
    const unsigned char *blocks_raw;

-    if(buf+12>buf_end)
+    if(buf_end - buf < 12)
        return -1;

    num_mvs           = AV_RL16(&buf[0]);
@ -171,7 +171,7 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
    /* read motion vectors */
    mvbits = (num_mvs*2*10+31) & ~31;

-    if (buf+(mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed>buf_end)
+    if (buf_end - buf < (mvbits>>3)+16*num_blocks_raw+8*num_blocks_packed)
        return -1;

    init_get_bits(&gb, buf, mvbits);
@ -207,12 +207,14 @@ static int tgv_decode_inter(TgvContext * s, const uint8_t *buf, const uint8_t *b
        int src_stride;

        if (vector < num_mvs) {
-            src = s->last_frame.data[0] +
-                  (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
-                   x*4 + s->mv_codebook[vector][0];
+            unsigned offset =
+                (y*4 + s->mv_codebook[vector][1])*s->last_frame.linesize[0] +
+                 x*4 + s->mv_codebook[vector][0];
+
            src_stride = s->last_frame.linesize[0];
-            if (src < s->last_frame.data[0] || src+3*src_stride+3>=frame0_end)
+            if (offset >= last_frame_size - (3*src_stride+3))
                continue;
+            src = s->last_frame.data[0] + offset;
        }else{
            int offset = vector - num_mvs;
            if (offset<num_blocks_raw)
@ -252,12 +254,15 @@ static int tgv_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf_end = buf + buf_size;
    int chunk_type;

+    if (buf_end - buf < EA_PREAMBLE_SIZE)
+        return AVERROR_INVALIDDATA;
+
    chunk_type = AV_RL32(&buf[0]);
    buf += EA_PREAMBLE_SIZE;

    if (chunk_type==kVGT_TAG) {
        int pal_count, i;
-        if(buf+12>buf_end) {
+        if(buf_end - buf < 12) {
            av_log(avctx, AV_LOG_WARNING, "truncated header\n");
            return -1;
        }
@ -272,7 +277,7 @@ static int tgv_decode_frame(AVCodecContext *avctx,

        pal_count = AV_RL16(&buf[6]);
        buf += 12;
-        for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+        for(i=0; i<pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
            s->palette[i] = AV_RB24(buf);
            buf += 3;
        }