diff options
author | Laurent Aimar <fenrir@videolan.org> | 2011-10-08 21:57:27 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-04 01:01:11 +0100 |
commit | ca58b215ab2c4d593b8be04420dfa6c1720a409c (patch) | |
tree | 2efbaeb69e45baa85d08850d52259262b94ab293 | |
parent | 67c46b9b3027fdd9fd737e21a80d3326748b1c15 (diff) | |
download | ffmpeg-ca58b215ab2c4d593b8be04420dfa6c1720a409c.tar.gz |
txd: check for out of bound reads.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e182de9a98272fbe4f368000911191aaeb0d6fb3)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/txd.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/libavcodec/txd.c b/libavcodec/txd.c index 0e25458c86..219c337534 100644 --- a/libavcodec/txd.c +++ b/libavcodec/txd.c @@ -23,6 +23,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/imgutils.h" +#include "bytestream.h" #include "avcodec.h" #include "s3tc.h" @@ -42,6 +43,7 @@ static av_cold int txd_init(AVCodecContext *avctx) { static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt) { const uint8_t *buf = avpkt->data; + const uint8_t *buf_end = avpkt->data + avpkt->size; TXDContext * const s = avctx->priv_data; AVFrame *picture = data; AVFrame * const p = &s->picture; @@ -52,6 +54,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, const uint32_t *palette = (const uint32_t *)(cur + 88); uint32_t *pal; + if (buf_end - cur < 92) + return AVERROR_INVALIDDATA; version = AV_RL32(cur); d3d_format = AV_RL32(cur+76); w = AV_RL16(cur+80); @@ -69,6 +73,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if (depth == 8) { avctx->pix_fmt = PIX_FMT_PAL8; + if (buf_end - cur < 1024) + return AVERROR_INVALIDDATA; cur += 1024; } else if (depth == 16 || depth == 32) avctx->pix_fmt = PIX_FMT_RGB32; @@ -100,6 +106,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, v = AV_RB32(palette+y); pal[y] = (v>>8) + (v<<24); } + if (buf_end - cur < w * h) + return AVERROR_INVALIDDATA; for (y=0; y<h; y++) { memcpy(ptr, cur, w); ptr += stride; @@ -110,9 +118,13 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, case 0: if (!flags&1) goto unsupported; case FF_S3TC_DXT1: + if (buf_end - cur < (w/4) * (h/4) * 8) + return AVERROR_INVALIDDATA; ff_decode_dxt1(cur, ptr, w, h, stride); break; case FF_S3TC_DXT3: + if (buf_end - cur < (w/4) * (h/4) * 16) + return AVERROR_INVALIDDATA; ff_decode_dxt3(cur, ptr, w, h, stride); break; default: @@ -122,6 +134,8 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, switch (d3d_format) { case 0x15: case 0x16: + if (buf_end - cur < h * w * 4) + return AVERROR_INVALIDDATA; for (y=0; y<h; y++) { memcpy(ptr, cur, w*4); ptr += stride; @@ -133,8 +147,12 @@ static int txd_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } } - for (; mipmap_count > 1; mipmap_count--) - cur += AV_RL32(cur) + 4; + for (; mipmap_count > 1 && buf_end - cur >= 4; mipmap_count--) { + uint32_t length = bytestream_get_le32(&cur); + if (buf_end - cur < length) + break; + cur += length; + } *picture = s->picture; *data_size = sizeof(AVPicture); |