diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-08-22 01:07:32 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-08-22 01:44:37 +0200 |
| commit | fde0b7d91c9cbcc427f87c2651f39d0075c66efe (patch) | |
| tree | 3a70af8fbf2caecb91d6dc94a10b6893bfe0c1e1 | |
| parent | b5f685211cd49dbd5b821f4ff1dc345c9326ff78 (diff) | |
| download | ffmpeg-fde0b7d91c9cbcc427f87c2651f39d0075c66efe.tar.gz | |
avcodec/rpza: Perform pointer advance and checks before using the pointers
Fixes out of array accesses
Fixes Ticket2850
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
Conflicts:
libavcodec/rpza.c
(cherry picked from commit edba432b8b01d68c22e70a508f47553359f59fb5)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/rpza.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index 27ed71f937..4a0025ba63 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -84,7 +84,7 @@ static void rpza_decode_stream(RpzaContext *s) unsigned short *pixels = (unsigned short *)s->frame.data[0]; int row_ptr = 0; - int pixel_ptr = 0; + int pixel_ptr = -4; int block_ptr; int pixel_x, pixel_y; int total_blocks; @@ -140,6 +140,7 @@ static void rpza_decode_stream(RpzaContext *s) colorA = AV_RB16 (&s->buf[stream_ptr]); stream_ptr += 2; while (n_blocks--) { + ADVANCE_BLOCK() block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -148,7 +149,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; @@ -185,6 +185,7 @@ static void rpza_decode_stream(RpzaContext *s) color4[2] |= ((21 * ta + 11 * tb) >> 5); while (n_blocks--) { + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { index = s->buf[stream_ptr++]; @@ -195,12 +196,12 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); } break; /* Fill block with 16 colors */ case 0x00: + ADVANCE_BLOCK(); block_ptr = row_ptr + pixel_ptr; for (pixel_y = 0; pixel_y < 4; pixel_y++) { for (pixel_x = 0; pixel_x < 4; pixel_x++){ @@ -214,7 +215,6 @@ static void rpza_decode_stream(RpzaContext *s) } block_ptr += row_inc; } - ADVANCE_BLOCK(); break; /* Unknown opcode */ |