RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add missing overflow checks in av_image_fill_pointers() and 

av_image_fill_linesizes().

Originally committed as revision 25861 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Stefano Sabatini 2010-12-02 19:49:55 +00:00
parent 3694ac240b
commit 9398024c04
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
libavcore/imgutils.c
View File

@ -71,6 +71,8 @@ int av_image_fill_linesizes(int linesizes[4], enum PixelFormat pix_fmt, int widt
return AVERROR(EINVAL);
if (desc->flags & PIX_FMT_BITSTREAM) {
if (width > (INT_MAX -7) / (desc->comp[0].step_minus1+1))
return AVERROR(EINVAL);
linesizes[0] = (width * (desc->comp[0].step_minus1+1) + 7) >> 3;
return 0;
}
@ -78,7 +80,10 @@ int av_image_fill_linesizes(int linesizes[4], enum PixelFormat pix_fmt, int widt
av_image_fill_max_pixsteps(max_step, max_step_comp, desc);
for (i = 0; i < 4; i++) {
int s = (max_step_comp[i] == 1 || max_step_comp[i] == 2) ? desc->log2_chroma_w : 0;
linesizes[i] = max_step[i] * (((width + (1 << s) - 1)) >> s);
int shifted_w = ((width + (1 << s) - 1)) >> s;
if (max_step[i] > INT_MAX / shifted_w)
return AVERROR(EINVAL);
linesizes[i] = max_step[i] * shifted_w;
}
return 0;
@ -98,6 +103,8 @@ int av_image_fill_pointers(uint8_t *data[4], enum PixelFormat pix_fmt, int heigh
return AVERROR(EINVAL);
data[0] = ptr;
if (linesizes[0] > (INT_MAX - 1024) / height)
return AVERROR(EINVAL);
size[0] = linesizes[0] * height;
if (desc->flags & PIX_FMT_PAL) {
@ -114,7 +121,11 @@ int av_image_fill_pointers(uint8_t *data[4], enum PixelFormat pix_fmt, int heigh
int h, s = (i == 1 || i == 2) ? desc->log2_chroma_h : 0;
data[i] = data[i-1] + size[i-1];
h = (height + (1 << s) - 1) >> s;
if (linesizes[i] > INT_MAX / h)
return AVERROR(EINVAL);
size[i] = h * linesizes[i];
if (total_size > INT_MAX - size[i])
return AVERROR(EINVAL);
total_size += size[i];
}