Merge commit '108ca6fad1e0e9af8d6337f908bfd23807b7fbd6' into release/1.1

* commit '108ca6fad1e0e9af8d6337f908bfd23807b7fbd6': yop: check for input overreads. yop: check that extradata is large enough. fraps: fix off-by one bug for version 1. Conflicts: libavcodec/fraps.c libavcodec/yop.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-02-14 12:57:14 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-02-14 12:57:14 +0100
commit: 81bcf9454e19702d43e0d314047acbe97226ed89 (patch)
tree: 92f11a319378bd9157356377ede1b02cac0b3001
parent: 5a3c8f95d5bfbab31ce4b460d41b193c4a2cfbb5 (diff)
parent: 108ca6fad1e0e9af8d6337f908bfd23807b7fbd6 (diff)
download: ffmpeg-81bcf9454e19702d43e0d314047acbe97226ed89.tar.gz
4 files changed, 25 insertions, 10 deletions
diff --git a/cmdutils.c b/cmdutils.c
index 38c8159e73..cfbe93320a 100644
--- a/cmdutils.c
+++ b/cmdutils.c
@@ -1851,7 +1851,7 @@ static int alloc_buffer(FrameBuffer **pool, AVCodecContext *s, FrameBuffer **pbu
     /* XXX this shouldn't be needed, but some tests break without this line
      * those decoders are buggy and need to be fixed.
      * the following tests fail:
-     * cdgraphics, ansi, aasc, fraps-v1, qtrle-1bit
+     * cdgraphics, ansi, aasc, qtrle-1bit
      */
     memset(buf->base[0], 128, ret);
 
diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
index 6500c853e2..e0fa916481 100644
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -245,10 +245,10 @@ static int decode_frame(AVCodecContext *avctx,
 
     case 1:
         /* Fraps v1 is an upside-down BGR24 */
-        for(y=0; y<avctx->height; y++)
-            memcpy(&f->data[0][ (avctx->height-y)*f->linesize[0] ],
-                   &buf[y*avctx->width*3],
-                   3*avctx->width);
+            for(y=0; y<avctx->height; y++)
+                memcpy(&f->data[0][ (avctx->height - y -1) * f->linesize[0]],
+                       &buf[y*avctx->width*3],
+                       3*avctx->width);
         break;
 
     case 2:
diff --git a/libavcodec/yop.c b/libavcodec/yop.c
index 337fb88365..1db567f456 100644
--- a/libavcodec/yop.c
+++ b/libavcodec/yop.c
@@ -39,6 +39,7 @@ typedef struct YopDecContext {
 
     uint8_t *low_nibble;
     uint8_t *srcptr;
+    uint8_t *src_end;
     uint8_t *dstptr;
     uint8_t *dstbuf;
 } YopDecContext;
@@ -88,8 +89,8 @@ static av_cold int yop_decode_init(AVCodecContext *avctx)
         return -1;
     }
 
-    if (!avctx->extradata) {
-        av_log(avctx, AV_LOG_ERROR, "extradata missing\n");
+    if (avctx->extradata_size < 3) {
+        av_log(avctx, AV_LOG_ERROR, "Missing or incomplete extradata.\n");
         return AVERROR_INVALIDDATA;
     }
 
@@ -123,8 +124,13 @@ static av_cold int yop_decode_close(AVCodecContext *avctx)
  * @param s codec context
  * @param tag the tag that was in the nibble
  */
-static void yop_paint_block(YopDecContext *s, int tag)
+static int yop_paint_block(YopDecContext *s, int tag)
 {
+    if (s->src_end - s->srcptr < paint_lut[tag][3]) {
+        av_log(s->avctx, AV_LOG_ERROR, "Packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     s->dstptr[0]                        = s->srcptr[0];
     s->dstptr[1]                        = s->srcptr[paint_lut[tag][0]];
     s->dstptr[s->frame.linesize[0]]     = s->srcptr[paint_lut[tag][1]];
@@ -132,6 +138,7 @@ static void yop_paint_block(YopDecContext *s, int tag)
 
     // The number of src bytes consumed is in the last part of the lut entry.
     s->srcptr += paint_lut[tag][3];
+    return 0;
 }
 
 /**
@@ -184,6 +191,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     int ret, i, x, y;
     uint32_t *palette;
 
+    if (avpkt->size < 4 + 3 * s->num_pal_colors) {
+        av_log(avctx, AV_LOG_ERROR, "Packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (s->frame.data[0])
         avctx->release_buffer(avctx, &s->frame);
 
@@ -201,6 +213,7 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     s->dstbuf     = s->frame.data[0];
     s->dstptr     = s->frame.data[0];
     s->srcptr     = avpkt->data + 4;
+    s->src_end    = avpkt->data + avpkt->size;
     s->low_nibble = NULL;
 
     is_odd_frame = avpkt->data[0];
@@ -231,7 +244,9 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             tag = yop_get_next_nibble(s);
 
             if (tag != 0xf) {
-                yop_paint_block(s, tag);
+                ret = yop_paint_block(s, tag);
+                if (ret < 0)
+                    return ret;
             } else {
                 tag = yop_get_next_nibble(s);
                 ret = yop_copy_previous_block(s, tag);
diff --git a/tests/ref/fate/fraps-v1 b/tests/ref/fate/fraps-v1
index 64392c33b4..29c7e37df3 100644
--- a/tests/ref/fate/fraps-v1
+++ b/tests/ref/fate/fraps-v1
@@ -1,2 +1,2 @@
 #tb 0: 1/25
-0,          0,          0,        1,   230400, 0x6bc891ff
+0,          0,          0,        1,   230400, 0x23c29d17
author	Michael Niedermayer <michaelni@gmx.at>	2013-02-14 12:57:14 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-02-14 12:57:14 +0100
commit	81bcf9454e19702d43e0d314047acbe97226ed89 (patch)
tree	92f11a319378bd9157356377ede1b02cac0b3001
parent	5a3c8f95d5bfbab31ce4b460d41b193c4a2cfbb5 (diff)
parent	108ca6fad1e0e9af8d6337f908bfd23807b7fbd6 (diff)
download	ffmpeg-81bcf9454e19702d43e0d314047acbe97226ed89.tar.gz