Browse code
Check pointers before writing to memory
Originally committed as revision 3874 to svn://svn.ffmpeg.org/ffmpeg/trunk
Roberto Togni authored on 2005/01/24 06:36:24Showing 2 changed files
| ... | ... |
@@ -65,10 +65,15 @@ static int decode_frame(AVCodecContext *avctx, |
| 65 | 65 |
} |
| 66 | 66 |
|
| 67 | 67 |
for (i = 0; i <= colors; i++) {
|
| 68 |
- int idx; |
|
| 68 |
+ unsigned int idx; |
|
| 69 | 69 |
idx = BE_16(buf); /* color index */ |
| 70 | 70 |
buf += 2; |
| 71 | 71 |
|
| 72 |
+ if (idx > 255) {
|
|
| 73 |
+ av_log(avctx, AV_LOG_ERROR, "Palette index out of range: %u\n", idx); |
|
| 74 |
+ buf += 6; |
|
| 75 |
+ continue; |
|
| 76 |
+ } |
|
| 72 | 77 |
a->palette[idx * 3 + 0] = *buf++; |
| 73 | 78 |
buf++; |
| 74 | 79 |
a->palette[idx * 3 + 1] = *buf++; |
| ... | ... |
@@ -77,9 +82,6 @@ static int decode_frame(AVCodecContext *avctx, |
| 77 | 77 |
buf++; |
| 78 | 78 |
} |
| 79 | 79 |
|
| 80 |
- if (colors) |
|
| 81 |
- a->pic.palette_has_changed = 1; |
|
| 82 |
- |
|
| 83 | 80 |
buf += 18; /* skip unneeded data */ |
| 84 | 81 |
for (i = 0; i < avctx->height; i++) {
|
| 85 | 82 |
int size, left, code, pix; |
| ... | ... |
@@ -98,6 +100,8 @@ static int decode_frame(AVCodecContext *avctx, |
| 98 | 98 |
if (code & 0x80 ) { /* run */
|
| 99 | 99 |
int i; |
| 100 | 100 |
pix = *buf++; |
| 101 |
+ if ((out + (257 - code) * 3) > (outdata + a->pic.linesize[0])) |
|
| 102 |
+ break; |
|
| 101 | 103 |
for (i = 0; i < 257 - code; i++) {
|
| 102 | 104 |
*out++ = a->palette[pix * 3 + 0]; |
| 103 | 105 |
*out++ = a->palette[pix * 3 + 1]; |
| ... | ... |
@@ -107,6 +111,8 @@ static int decode_frame(AVCodecContext *avctx, |
| 107 | 107 |
left -= 2; |
| 108 | 108 |
} else { /* copy */
|
| 109 | 109 |
int i, pix; |
| 110 |
+ if ((out + code * 3) > (outdata + a->pic.linesize[0])) |
|
| 111 |
+ break; |
|
| 110 | 112 |
for (i = 0; i <= code; i++) {
|
| 111 | 113 |
pix = *buf++; |
| 112 | 114 |
*out++ = a->palette[pix * 3 + 0]; |
| ... | ... |
@@ -130,6 +136,10 @@ static int decode_frame(AVCodecContext *avctx, |
| 130 | 130 |
static int decode_init(AVCodecContext *avctx){
|
| 131 | 131 |
// QdrawContext * const a = avctx->priv_data; |
| 132 | 132 |
|
| 133 |
+ if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) {
|
|
| 134 |
+ return 1; |
|
| 135 |
+ } |
|
| 136 |
+ |
|
| 133 | 137 |
avctx->pix_fmt= PIX_FMT_RGB24; |
| 134 | 138 |
|
| 135 | 139 |
return 0; |
| ... | ... |
@@ -72,19 +72,22 @@ typedef struct TsccContext {
|
| 72 | 72 |
* |
| 73 | 73 |
*/ |
| 74 | 74 |
|
| 75 |
-static int decode_rle(CamtasiaContext *c) |
|
| 75 |
+static int decode_rle(CamtasiaContext *c, unsigned int srcsize) |
|
| 76 | 76 |
{
|
| 77 | 77 |
unsigned char *src = c->decomp_buf; |
| 78 |
- unsigned char *output; |
|
| 78 |
+ unsigned char *output, *output_end; |
|
| 79 | 79 |
int p1, p2, line=c->height, pos=0, i; |
| 80 | 80 |
|
| 81 | 81 |
output = c->pic.data[0] + (c->height - 1) * c->pic.linesize[0]; |
| 82 |
- while(src < c->decomp_buf + c->decomp_size) {
|
|
| 82 |
+ output_end = c->pic.data[0] + (c->height) * c->pic.linesize[0]; |
|
| 83 |
+ while(src < c->decomp_buf + srcsize) {
|
|
| 83 | 84 |
p1 = *src++; |
| 84 | 85 |
if(p1 == 0) { //Escape code
|
| 85 | 86 |
p2 = *src++; |
| 86 | 87 |
if(p2 == 0) { //End-of-line
|
| 87 | 88 |
output = c->pic.data[0] + (--line) * c->pic.linesize[0]; |
| 89 |
+ if (line < 0) |
|
| 90 |
+ return -1; |
|
| 88 | 91 |
pos = 0; |
| 89 | 92 |
continue; |
| 90 | 93 |
} else if(p2 == 1) { //End-of-picture
|
| ... | ... |
@@ -93,11 +96,17 @@ static int decode_rle(CamtasiaContext *c) |
| 93 | 93 |
p1 = *src++; |
| 94 | 94 |
p2 = *src++; |
| 95 | 95 |
line -= p2; |
| 96 |
+ if (line < 0) |
|
| 97 |
+ return -1; |
|
| 96 | 98 |
pos += p1; |
| 97 | 99 |
output = c->pic.data[0] + line * c->pic.linesize[0] + pos * (c->bpp / 8); |
| 98 | 100 |
continue; |
| 99 | 101 |
} |
| 100 | 102 |
// Copy data |
| 103 |
+ if (output + p2 * (c->bpp / 8) > output_end) {
|
|
| 104 |
+ src += p2 * (c->bpp / 8); |
|
| 105 |
+ continue; |
|
| 106 |
+ } |
|
| 101 | 107 |
for(i = 0; i < p2 * (c->bpp / 8); i++) {
|
| 102 | 108 |
*output++ = *src++; |
| 103 | 109 |
} |
| ... | ... |
@@ -119,6 +128,8 @@ static int decode_rle(CamtasiaContext *c) |
| 119 | 119 |
pix[2] = *src++; |
| 120 | 120 |
break; |
| 121 | 121 |
} |
| 122 |
+ if (output + p1 * (c->bpp / 8) > output_end) |
|
| 123 |
+ continue; |
|
| 122 | 124 |
for(i = 0; i < p1; i++) {
|
| 123 | 125 |
switch(c->bpp){
|
| 124 | 126 |
case 8: *output++ = pix[0]; |
| ... | ... |
@@ -183,10 +194,10 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8 |
| 183 | 183 |
av_log(avctx, AV_LOG_ERROR, "Inflate error: %d\n", zret); |
| 184 | 184 |
return -1; |
| 185 | 185 |
} |
| 186 |
- encoded = c->decomp_buf; |
|
| 187 |
- len = c->decomp_size; |
|
| 186 |
+ |
|
| 187 |
+ |
|
| 188 | 188 |
if(zret != Z_DATA_ERROR) |
| 189 |
- decode_rle(c); |
|
| 189 |
+ decode_rle(c, c->zstream.avail_out); |
|
| 190 | 190 |
|
| 191 | 191 |
/* make the palette available on the way out */ |
| 192 | 192 |
if (c->avctx->pix_fmt == PIX_FMT_PAL8) {
|
| ... | ... |
@@ -227,6 +238,10 @@ static int decode_init(AVCodecContext *avctx) |
| 227 | 227 |
c->pic.data[0] = NULL; |
| 228 | 228 |
c->height = avctx->height; |
| 229 | 229 |
|
| 230 |
+ if (avcodec_check_dimensions(avctx, avctx->height, avctx->width) < 0) {
|
|
| 231 |
+ return 1; |
|
| 232 |
+ } |
|
| 233 |
+ |
|
| 230 | 234 |
#ifdef CONFIG_ZLIB |
| 231 | 235 |
// Needed if zlib unused or init aborted before inflateInit |
| 232 | 236 |
memset(&(c->zstream), 0, sizeof(z_stream)); |