sgidec: fix buffer size check in expand_rle_row()

Right now it will spuriously fail if the linesize is exactly equal to the data width. CC:libav-stable@libav.org
2014-01-02 09:34:20 +01:00 · 2014-01-02 09:34:20 +01:00 · f4a8a00805
parent adb199d1bc
commit f4a8a00805
1 changed files with 18 additions and 4 deletions
--- a/libavcodec/sgidec.c
+++ b/libavcodec/sgidec.c
@ -26,6 +26,7 @@
 #include "sgi.h"

 typedef struct SgiState {
+    AVCodecContext *avctx;
    unsigned int width;
    unsigned int height;
    unsigned int depth;
@ -38,12 +39,12 @@ typedef struct SgiState {
 * Expand an RLE row into a channel.
 * @param s the current image state
 * @param out_buf Points to one line after the output buffer.
- * @param out_end end of line in output buffer
+ * @param len length of out_buf in bytes
 * @param pixelstride pixel stride of input buffer
 * @return size of output in bytes, -1 if buffer overflows
 */
 static int expand_rle_row(SgiState *s, uint8_t *out_buf,
-                          uint8_t *out_end, int pixelstride)
+                          int len, int pixelstride)
 {
    unsigned char pixel, count;
    unsigned char *orig = out_buf;
@ -57,7 +58,10 @@ static int expand_rle_row(SgiState *s, uint8_t *out_buf,
        }

        /* Check for buffer overflow. */
-        if(out_buf + pixelstride * count >= out_end) return -1;
+        if (pixelstride * (count - 1) >= len) {
+            av_log(s->avctx, AV_LOG_ERROR, "Invalid pixel count.\n");
+            return AVERROR_INVALIDDATA;
+        }

        if (pixel & 0x80) {
            while (count--) {
@ -100,7 +104,7 @@ static int read_rle_sgi(uint8_t *out_buf, SgiState *s)
            dest_row -= s->linesize;
            start_offset = bytestream2_get_be32(&g_table);
            bytestream2_seek(&s->g, start_offset, SEEK_SET);
-            if (expand_rle_row(s, dest_row + z, dest_row + FFABS(s->linesize),
+            if (expand_rle_row(s, dest_row + z, FFABS(s->linesize) - z,
                               s->depth) != s->width) {
                return AVERROR_INVALIDDATA;
            }
@ -233,6 +237,15 @@ static int decode_frame(AVCodecContext *avctx,
    }
 }

+static av_cold int sgi_decode_init(AVCodecContext *avctx)
+{
+    SgiState *s = avctx->priv_data;
+
+    s->avctx = avctx;
+
+    return 0;
+}
+
 AVCodec ff_sgi_decoder = {
    .name           = "sgi",
    .long_name      = NULL_IF_CONFIG_SMALL("SGI image"),
@ -240,5 +253,6 @@ AVCodec ff_sgi_decoder = {
    .id             = AV_CODEC_ID_SGI,
    .priv_data_size = sizeof(SgiState),
    .decode         = decode_frame,
+    .init           = sgi_decode_init,
    .capabilities   = CODEC_CAP_DR1,
 };