RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Check pointers before writing to memory 

Originally committed as revision 3874 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Roberto Togni 2005-01-23 21:36:24 +00:00
parent 4ae33c9b52
commit cca1a42653
2 changed files with 35 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
libavcodec/qdrw.c
View File

@ -65,10 +65,15 @@ static int decode_frame(AVCodecContext *avctx,
} }
for (i = 0; i <= colors; i++) { for (i = 0; i <= colors; i++) {
int idx; unsigned int idx;
idx = BE_16(buf); /* color index */ idx = BE_16(buf); /* color index */
buf += 2; buf += 2;
if (idx > 255) {
av_log(avctx, AV_LOG_ERROR, "Palette index out of range: %u\n", idx);
buf += 6;
continue;
}
a->palette[idx * 3 + 0] = *buf++; a->palette[idx * 3 + 0] = *buf++;
buf++; buf++;
a->palette[idx * 3 + 1] = *buf++; a->palette[idx * 3 + 1] = *buf++;
@ -77,9 +82,6 @@ static int decode_frame(AVCodecContext *avctx,
buf++; buf++;
} }
if (colors)
a->pic.palette_has_changed = 1;
buf += 18; /* skip unneeded data */ buf += 18; /* skip unneeded data */
for (i = 0; i < avctx->height; i++) { for (i = 0; i < avctx->height; i++) {
int size, left, code, pix; int size, left, code, pix;
@ -98,6 +100,8 @@ static int decode_frame(AVCodecContext *avctx,
if (code & 0x80 ) { /* run */ if (code & 0x80 ) { /* run */
int i; int i;
pix = *buf++; pix = *buf++;
if ((out + (257 - code) * 3) > (outdata + a->pic.linesize[0]))
break;
for (i = 0; i < 257 - code; i++) { for (i = 0; i < 257 - code; i++) {
*out++ = a->palette[pix * 3 + 0]; *out++ = a->palette[pix * 3 + 0];
*out++ = a->palette[pix * 3 + 1]; *out++ = a->palette[pix * 3 + 1];
@ -107,6 +111,8 @@ static int decode_frame(AVCodecContext *avctx,
left -= 2; left -= 2;
} else { /* copy */ } else { /* copy */
int i, pix; int i, pix;
if ((out + code * 3) > (outdata + a->pic.linesize[0]))
break;
for (i = 0; i <= code; i++) { for (i = 0; i <= code; i++) {
pix = *buf++; pix = *buf++;
*out++ = a->palette[pix * 3 + 0]; *out++ = a->palette[pix * 3 + 0];
@ -130,6 +136,10 @@ static int decode_frame(AVCodecContext *avctx,
static int decode_init(AVCodecContext *avctx){ static int decode_init(AVCodecContext *avctx){
// QdrawContext * const a = avctx->priv_data; // QdrawContext * const a = avctx->priv_data;
if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) {
return 1;
}
avctx->pix_fmt= PIX_FMT_RGB24; avctx->pix_fmt= PIX_FMT_RGB24;
return 0; return 0;

27
libavcodec/tscc.c
View File

@ -72,19 +72,22 @@ typedef struct TsccContext {
* *
*/ */
static int decode_rle(CamtasiaContext *c) static int decode_rle(CamtasiaContext *c, unsigned int srcsize)
{ {
unsigned char *src = c->decomp_buf; unsigned char *src = c->decomp_buf;
unsigned char *output; unsigned char *output, *output_end;
int p1, p2, line=c->height, pos=0, i; int p1, p2, line=c->height, pos=0, i;
output = c->pic.data[0] + (c->height - 1) * c->pic.linesize[0]; output = c->pic.data[0] + (c->height - 1) * c->pic.linesize[0];
while(src < c->decomp_buf + c->decomp_size) { output_end = c->pic.data[0] + (c->height) * c->pic.linesize[0];
while(src < c->decomp_buf + srcsize) {
p1 = *src++; p1 = *src++;
if(p1 == 0) { //Escape code if(p1 == 0) { //Escape code
p2 = *src++; p2 = *src++;
if(p2 == 0) { //End-of-line if(p2 == 0) { //End-of-line
output = c->pic.data[0] + (--line) * c->pic.linesize[0]; output = c->pic.data[0] + (--line) * c->pic.linesize[0];
if (line < 0)
return -1;
pos = 0; pos = 0;
continue; continue;
} else if(p2 == 1) { //End-of-picture } else if(p2 == 1) { //End-of-picture
@ -93,11 +96,17 @@ static int decode_rle(CamtasiaContext *c)
p1 = *src++; p1 = *src++;
p2 = *src++; p2 = *src++;
line -= p2; line -= p2;
if (line < 0)
return -1;
pos += p1; pos += p1;
output = c->pic.data[0] + line * c->pic.linesize[0] + pos * (c->bpp / 8); output = c->pic.data[0] + line * c->pic.linesize[0] + pos * (c->bpp / 8);
continue; continue;
} }
// Copy data // Copy data
if (output + p2 * (c->bpp / 8) > output_end) {
src += p2 * (c->bpp / 8);
continue;
}
for(i = 0; i < p2 * (c->bpp / 8); i++) { for(i = 0; i < p2 * (c->bpp / 8); i++) {
*output++ = *src++; *output++ = *src++;
} }
@ -119,6 +128,8 @@ static int decode_rle(CamtasiaContext *c)
pix[2] = *src++; pix[2] = *src++;
break; break;
} }
if (output + p1 * (c->bpp / 8) > output_end)
continue;
for(i = 0; i < p1; i++) { for(i = 0; i < p1; i++) {
switch(c->bpp){ switch(c->bpp){
case 8: *output++ = pix[0]; case 8: *output++ = pix[0];
@ -183,10 +194,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8
av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", zret); av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", zret);
return -1; return -1;
} }
encoded = c->decomp_buf;
len = c->decomp_size;
if(zret != Z_DATA_ERROR) if(zret != Z_DATA_ERROR)
decode_rle(c); decode_rle(c, c->zstream.avail_out);
/* make the palette available on the way out */ /* make the palette available on the way out */
if (c->avctx->pix_fmt == PIX_FMT_PAL8) { if (c->avctx->pix_fmt == PIX_FMT_PAL8) {
@ -227,6 +238,10 @@ static int decode_init(AVCodecContext *avctx)
c->pic.data[0] = NULL; c->pic.data[0] = NULL;
c->height = avctx->height; c->height = avctx->height;
if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) {
return 1;
}
#ifdef CONFIG_ZLIB #ifdef CONFIG_ZLIB
// Needed if zlib unused or init aborted before inflateInit // Needed if zlib unused or init aborted before inflateInit
memset(&(c->zstream), 0, sizeof(z_stream)); memset(&(c->zstream), 0, sizeof(z_stream));