bink: Check for various out of bound writes

Signed-off-by: Janne Grunau <janne-libav@jannau.net> (cherry picked from commit a00676e48e49a3d794d6d2063ceca539e945a4a4) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Laurent Aimar <fenrir@videolan.org> 2011-09-27 12:16:41 +0000
committer: Reinhard Tartler <siretart@tauware.de> 2012-03-18 17:50:35 +0100
commit: 9c78fe936013dfb6be0df46e4fb5c097f8a3b994 (patch)
tree: 7c27787be36e9417a89ad51a9953a9823a78a12b
parent: c98d7882d8c67475bc756ebc956fed3d4d2ca696 (diff)
download: ffmpeg-9c78fe936013dfb6be0df46e4fb5c097f8a3b994.tar.gz
1 files changed, 14 insertions, 5 deletions
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 420d08a0f4..7e48608127 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -343,14 +343,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle *
         memset(b->cur_dec, v, t);
         b->cur_dec += t;
     } else {
-        do {
+        while (b->cur_dec < dec_end) {
             v = GET_HUFF(gb, b->tree);
             if (v) {
                 sign = -get_bits1(gb);
                 v = (v ^ sign) - sign;
             }
             *b->cur_dec++ = v;
-        } while (b->cur_dec < dec_end);
+        }
     }
     return 0;
 }
@@ -374,7 +374,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
         memset(b->cur_dec, v, t);
         b->cur_dec += t;
     } else {
-        do {
+        while (b->cur_dec < dec_end) {
             v = GET_HUFF(gb, b->tree);
             if (v < 12) {
                 last = v;
@@ -382,10 +382,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
             } else {
                 int run = bink_rlelens[v - 12];
 
+                if (dec_end - b->cur_dec < run)
+                    return -1;
                 memset(b->cur_dec, last, run);
                 b->cur_dec += run;
             }
-        } while (b->cur_dec < dec_end);
+        }
     }
     return 0;
 }
@@ -455,7 +457,8 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
                     int start_bits, int has_sign)
 {
     int i, j, len, len2, bsize, sign, v, v2;
-    int16_t *dst = (int16_t*)b->cur_dec;
+    int16_t *dst     = (int16_t*)b->cur_dec;
+    int16_t *dst_end = (int16_t*)b->data_end;
 
     CHECK_READ_VAL(gb, b, len);
     v = get_bits(gb, start_bits - has_sign);
@@ -463,10 +466,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
         sign = -get_bits1(gb);
         v = (v ^ sign) - sign;
     }
+    if (dst_end - dst < 1)
+        return -1;
     *dst++ = v;
     len--;
     for (i = 0; i < len; i += 8) {
         len2 = FFMIN(len - i, 8);
+        if (dst_end - dst < len2)
+            return -1;
         bsize = get_bits(gb, 4);
         if (bsize) {
             for (j = 0; j < len2; j++) {
@@ -534,6 +541,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num)
     int i, len;
 
     CHECK_READ_VAL(gb, b, len);
+    if (b->data_end - b->cur_dec < len * (1 + (bits > 8)))
+        return -1;
     if (bits <= 8) {
         if (!issigned) {
             for (i = 0; i < len; i++)
author	Laurent Aimar <fenrir@videolan.org>	2011-09-27 12:16:41 +0000
committer	Reinhard Tartler <siretart@tauware.de>	2012-03-18 17:50:35 +0100
commit	9c78fe936013dfb6be0df46e4fb5c097f8a3b994 (patch)
tree	7c27787be36e9417a89ad51a9953a9823a78a12b
parent	c98d7882d8c67475bc756ebc956fed3d4d2ca696 (diff)
download	ffmpeg-9c78fe936013dfb6be0df46e4fb5c097f8a3b994.tar.gz