RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

4xm: forward errors from decode_p_block 

Partially mitigate out of memory writes.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Luca Barbato 2013-06-05 22:33:34 +02:00
parent 50ec1db62d
commit b8b809908e
1 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
libavcodec/4xm.c
View File

@ -331,7 +331,7 @@ static inline void mcdc(uint16_t *dst, uint16_t *src, int log2w,
} }
} }
static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, static int decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
int log2w, int log2h, int stride) int log2w, int log2h, int stride)
{ {
const int index = size2index[log2h][log2w]; const int index = size2index[log2h][log2w];
@ -341,33 +341,41 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
BLOCK_TYPE_VLC_BITS, 1); BLOCK_TYPE_VLC_BITS, 1);
uint16_t *start = (uint16_t *)f->last_picture->data[0]; uint16_t *start = (uint16_t *)f->last_picture->data[0];
uint16_t *end = start + stride * (f->avctx->height - h + 1) - (1 << log2w); uint16_t *end = start + stride * (f->avctx->height - h + 1) - (1 << log2w);
int ret;
assert(code >= 0 && code <= 6); if (code < 0 || code > 6)
return AVERROR_INVALIDDATA;
if (code == 0) { if (code == 0) {
src += f->mv[bytestream2_get_byte(&f->g)]; src += f->mv[bytestream2_get_byte(&f->g)];
if (start > src || src > end) { if (start > src || src > end) {
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return; return AVERROR_INVALIDDATA;
} }
mcdc(dst, src, log2w, h, stride, 1, 0); mcdc(dst, src, log2w, h, stride, 1, 0);
} else if (code == 1) { } else if (code == 1) {
log2h--; log2h--;
decode_p_block(f, dst, src, log2w, log2h, stride); if ((ret = decode_p_block(f, dst, src, log2w, log2h, stride)) < 0)
decode_p_block(f, dst + (stride << log2h), return ret;
src + (stride << log2h), log2w, log2h, stride); if ((ret = decode_p_block(f, dst + (stride << log2h),
src + (stride << log2h),
log2w, log2h, stride)) < 0)
return ret;
} else if (code == 2) { } else if (code == 2) {
log2w--; log2w--;
decode_p_block(f, dst , src, log2w, log2h, stride); if ((ret = decode_p_block(f, dst , src, log2w, log2h, stride)) < 0)
decode_p_block(f, dst + (1 << log2w), return ret;
src + (1 << log2w), log2w, log2h, stride); if ((ret = decode_p_block(f, dst + (1 << log2w),
src + (1 << log2w),
log2w, log2h, stride)) < 0)
return ret;
} else if (code == 3 && f->version < 2) { } else if (code == 3 && f->version < 2) {
mcdc(dst, src, log2w, h, stride, 1, 0); mcdc(dst, src, log2w, h, stride, 1, 0);
} else if (code == 4) { } else if (code == 4) {
src += f->mv[bytestream2_get_byte(&f->g)]; src += f->mv[bytestream2_get_byte(&f->g)];
if (start > src || src > end) { if (start > src || src > end) {
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n"); av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return; return AVERROR_INVALIDDATA;
} }
mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2)); mcdc(dst, src, log2w, h, stride, 1, bytestream2_get_le16(&f->g2));
} else if (code == 5) { } else if (code == 5) {
@ -381,6 +389,7 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src,
dst[stride] = bytestream2_get_le16(&f->g2); dst[stride] = bytestream2_get_le16(&f->g2);
} }
} }
return 0;
} }
static int decode_p_frame(FourXContext *f, AVFrame *frame, static int decode_p_frame(FourXContext *f, AVFrame *frame,
@ -451,7 +460,8 @@ static int decode_p_frame(FourXContext *f, AVFrame *frame,
for (y = 0; y < height; y += 8) { for (y = 0; y < height; y += 8) {
for (x = 0; x < width; x += 8) for (x = 0; x < width; x += 8)
decode_p_block(f, dst + x, src + x, 3, 3, stride); if ((ret = decode_p_block(f, dst + x, src + x, 3, 3, stride)) < 0)
return ret;
src += 8 * stride; src += 8 * stride;
dst += 8 * stride; dst += 8 * stride;
} }