1. ffmpeg
  2. Commit 36bf135d4c32973933000a819208df7da9dd3e16
Browse code

Check for various out of bound writes in the bink decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Laurent Aimar authored on 2011/09/27 08:02:16
Showing 1 changed files
libavcodec/bink.c
History View file @ 36bf135
... ... 
@@ -344,14 +344,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle *
344 344 
         memset(b->cur_dec, v, t);
345 345 
         b->cur_dec += t;
346 346 
     } else {
347 
-        do {
347 
+        while (b->cur_dec < dec_end) {
348 348 
             v = GET_HUFF(gb, b->tree);
349 349 
             if (v) {
350 350 
                 sign = -get_bits1(gb);
351 351 
                 v = (v ^ sign) - sign;
352 352 
             }
353 353 
             *b->cur_dec++ = v;
354 
-        } while (b->cur_dec < dec_end);
354 
+        }
355 355 
     }
356 356 
     return 0;
357 357 
 }
... ... 
@@ -375,7 +375,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
375 375 
         memset(b->cur_dec, v, t);
376 376 
         b->cur_dec += t;
377 377 
     } else {
378 
-        do {
378 
+        while (b->cur_dec < dec_end) {
379 379 
             v = GET_HUFF(gb, b->tree);
380 380 
             if (v < 12) {
381 381 
                 last = v;
... ... 
@@ -383,10 +383,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
383 383 
             } else {
384 384 
                 int run = bink_rlelens[v - 12];
385 385
386 
+                if (dec_end - b->cur_dec < run)
387 
+                    return -1;
386 388 
                 memset(b->cur_dec, last, run);
387 389 
                 b->cur_dec += run;
388 390 
             }
389 
-        } while (b->cur_dec < dec_end);
391 
+        }
390 392 
     }
391 393 
     return 0;
392 394 
 }
... ... 
@@ -457,6 +459,7 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
457 457 
 {
458 458 
     int i, j, len, len2, bsize, sign, v, v2;
459 459 
     int16_t *dst = (int16_t*)b->cur_dec;
460 
+    int16_t *dst_end =( int16_t*)b->data_end;
460 461
461 462 
     CHECK_READ_VAL(gb, b, len);
462 463 
     v = get_bits(gb, start_bits - has_sign);
... ... 
@@ -464,10 +467,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
464 464 
         sign = -get_bits1(gb);
465 465 
         v = (v ^ sign) - sign;
466 466 
     }
467 
+    if (dst_end - dst < 1)
468 
+        return -1;
467 469 
     *dst++ = v;
468 470 
     len--;
469 471 
     for (i = 0; i < len; i += 8) {
470 472 
         len2 = FFMIN(len - i, 8);
473 
+        if (dst_end - dst < len2)
474 
+            return -1;
471 475 
         bsize = get_bits(gb, 4);
472 476 
         if (bsize) {
473 477 
             for (j = 0; j < len2; j++) {
... ... 
@@ -535,6 +542,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num)
535 535 
     int i, len;
536 536
537 537 
     CHECK_READ_VAL(gb, b, len);
538 
+    if (b->data_end - b->cur_dec < len * (1 + (bits > 8)))
539 
+        return -1;
538 540 
     if (bits <= 8) {
539 541 
         if (!issigned) {
540 542 
             for (i = 0; i < len; i++)