mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2025-01-18 21:30:55 +00:00
avs: check for out of bound reads
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
This commit is contained in:
parent
76c6971a64
commit
de049a95f4
@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx,
|
||||
void *data, int *data_size, AVPacket *avpkt)
|
||||
{
|
||||
const uint8_t *buf = avpkt->data;
|
||||
const uint8_t *buf_end = avpkt->data + avpkt->size;
|
||||
int buf_size = avpkt->size;
|
||||
AvsContext *const avs = avctx->priv_data;
|
||||
AVFrame *picture = data;
|
||||
@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx,
|
||||
out = avs->picture.data[0];
|
||||
stride = avs->picture.linesize[0];
|
||||
|
||||
if (buf_end - buf < 4)
|
||||
return AVERROR_INVALIDDATA;
|
||||
sub_type = buf[0];
|
||||
type = buf[1];
|
||||
buf += 4;
|
||||
@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx,
|
||||
|
||||
first = AV_RL16(buf);
|
||||
last = first + AV_RL16(buf + 2);
|
||||
if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first))
|
||||
return AVERROR_INVALIDDATA;
|
||||
buf += 4;
|
||||
for (i=first; i<last; i++, buf+=3)
|
||||
pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2);
|
||||
@ -114,9 +119,13 @@ avs_decode_frame(AVCodecContext * avctx,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (buf_end - buf < 256 * vect_w * vect_h)
|
||||
return AVERROR_INVALIDDATA;
|
||||
table = buf + (256 * vect_w * vect_h);
|
||||
if (sub_type != AVS_I_FRAME) {
|
||||
int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h);
|
||||
if (buf_end - table < map_size)
|
||||
return AVERROR_INVALIDDATA;
|
||||
init_get_bits(&change_map, table, map_size * 8);
|
||||
table += map_size;
|
||||
}
|
||||
@ -124,6 +133,8 @@ avs_decode_frame(AVCodecContext * avctx,
|
||||
for (y=0; y<198; y+=vect_h) {
|
||||
for (x=0; x<318; x+=vect_w) {
|
||||
if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) {
|
||||
if (buf_end - table < 1)
|
||||
return AVERROR_INVALIDDATA;
|
||||
vect = &buf[*table++ * (vect_w * vect_h)];
|
||||
for (j=0; j<vect_w; j++) {
|
||||
out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j];
|
||||
|
Loading…
Reference in New Issue
Block a user