aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2015-03-24 15:50:12 +0100
committerMichael Niedermayer <michaelni@gmx.at>2015-04-17 15:20:29 +0200
commita376ef4a17edb947bbcf54171daa914bd4585a4f (patch)
tree44ecb551375712b304540569c1c513cac7162867
parent43fdd89a3f07af315d17a9d8ea6cd13a91e589ee (diff)
downloadffmpeg-a376ef4a17edb947bbcf54171daa914bd4585a4f.tar.gz
avcodec/msrledec: restructure msrle_decode_pal4() based on the line number instead of the pixel pointer
Fixes out of array access Fixes: da14e86d8462be6493eab16bc2d40f88/asan_heap-oob_204cfd2_528_cov_340150052_COMPRESS.BMP Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit f7e1367f58263593e6cee3c282f7277d7ee9d553) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/msrledec.c25
1 files changed, 11 insertions, 14 deletions
diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c
index 4d3da5ba17..deb6f86523 100644
--- a/libavcodec/msrledec.c
+++ b/libavcodec/msrledec.c
@@ -37,16 +37,14 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
unsigned char extra_byte, odd_pixel;
unsigned char stream_byte;
unsigned int pixel_ptr = 0;
- int row_dec = pic->linesize[0];
- int row_ptr = (avctx->height - 1) * row_dec;
- int frame_size = row_dec * avctx->height;
+ int line = avctx->height - 1;
int i;
- while (row_ptr >= 0) {
+ while (line >= 0 && pixel_ptr <= avctx->width) {
if (bytestream2_get_bytes_left(gb) <= 0) {
av_log(avctx, AV_LOG_ERROR,
- "MS RLE: bytestream overrun, %d rows left\n",
- row_ptr);
+ "MS RLE: bytestream overrun, %dx%d left\n",
+ avctx->width - pixel_ptr, line);
return AVERROR_INVALIDDATA;
}
rle_code = stream_byte = bytestream2_get_byteu(gb);
@@ -55,7 +53,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
stream_byte = bytestream2_get_byte(gb);
if (stream_byte == 0) {
/* line is done, goto the next one */
- row_ptr -= row_dec;
+ line--;
pixel_ptr = 0;
} else if (stream_byte == 1) {
/* decode is done */
@@ -65,13 +63,12 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
stream_byte = bytestream2_get_byte(gb);
pixel_ptr += stream_byte;
stream_byte = bytestream2_get_byte(gb);
- row_ptr -= stream_byte * row_dec;
} else {
// copy pixels from encoded stream
odd_pixel = stream_byte & 1;
rle_code = (stream_byte + 1) / 2;
extra_byte = rle_code & 0x01;
- if (row_ptr + pixel_ptr + stream_byte > frame_size ||
+ if (pixel_ptr + 2*rle_code - odd_pixel > avctx->width ||
bytestream2_get_bytes_left(gb) < rle_code) {
av_log(avctx, AV_LOG_ERROR,
"MS RLE: frame/stream ptr just went out of bounds (copy)\n");
@@ -82,13 +79,13 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
if (pixel_ptr >= avctx->width)
break;
stream_byte = bytestream2_get_byteu(gb);
- pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
+ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
pixel_ptr++;
if (i + 1 == rle_code && odd_pixel)
break;
if (pixel_ptr >= avctx->width)
break;
- pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
+ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
pixel_ptr++;
}
@@ -98,7 +95,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
}
} else {
// decode a run of data
- if (row_ptr + pixel_ptr + stream_byte > frame_size) {
+ if (pixel_ptr + rle_code > avctx->width + 1) {
av_log(avctx, AV_LOG_ERROR,
"MS RLE: frame ptr just went out of bounds (run)\n");
return AVERROR_INVALIDDATA;
@@ -108,9 +105,9 @@ static int msrle_decode_pal4(AVCodecContext *avctx, AVPicture *pic,
if (pixel_ptr >= avctx->width)
break;
if ((i & 1) == 0)
- pic->data[0][row_ptr + pixel_ptr] = stream_byte >> 4;
+ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte >> 4;
else
- pic->data[0][row_ptr + pixel_ptr] = stream_byte & 0x0F;
+ pic->data[0][line * pic->linesize[0] + pixel_ptr] = stream_byte & 0x0F;
pixel_ptr++;
}
}