1. ffmpeg
  2. Commit c603cf51704714a3b9e1d3efa78bd4627d4b9e74
Browse code

qtrle: check for out of bound writes.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fb92be7e50ea4ba5712804326c6814ae02dd190)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit a65045915f5b4ec6da73df54d1914b320a861223)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Laurent Aimar authored on 2011/10/09 06:40:36
Showing 1 changed files
libavcodec/qtrle.c
History View file @ c603cf5
... ... 
@@ -127,6 +127,7 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int stream_ptr,
127 127 
     while (lines_to_change--) {
128 128 
         CHECK_STREAM_PTR(2);
129 129 
         pixel_ptr = row_ptr + (num_pixels * (s->buf[stream_ptr++] - 1));
130 
+        CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
130 131
131 132 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
132 133 
             if (rle_code == 0) {
... ... 
@@ -183,6 +184,7 @@ static void qtrle_decode_8bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
183 183 
     while (lines_to_change--) {
184 184 
         CHECK_STREAM_PTR(2);
185 185 
         pixel_ptr = row_ptr + (4 * (s->buf[stream_ptr++] - 1));
186 
+        CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
186 187
187 188 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
188 189 
             if (rle_code == 0) {
... ... 
@@ -236,6 +238,7 @@ static void qtrle_decode_16bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
236 236 
     while (lines_to_change--) {
237 237 
         CHECK_STREAM_PTR(2);
238 238 
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 2;
239 
+        CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
239 240
240 241 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
241 242 
             if (rle_code == 0) {
... ... 
@@ -285,6 +288,7 @@ static void qtrle_decode_24bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
285 285 
     while (lines_to_change--) {
286 286 
         CHECK_STREAM_PTR(2);
287 287 
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 3;
288 
+        CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
288 289
289 290 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
290 291 
             if (rle_code == 0) {
... ... 
@@ -336,6 +340,7 @@ static void qtrle_decode_32bpp(QtrleContext *s, int stream_ptr, int row_ptr, int
336 336 
     while (lines_to_change--) {
337 337 
         CHECK_STREAM_PTR(2);
338 338 
         pixel_ptr = row_ptr + (s->buf[stream_ptr++] - 1) * 4;
339 
+        CHECK_PIXEL_PTR(0);  /* make sure pixel_ptr is positive */
339 340
340 341 
         while ((rle_code = (signed char)s->buf[stream_ptr++]) != -1) {
341 342 
             if (rle_code == 0) {