diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-03-05 02:19:12 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-03-20 19:54:53 +0100 |
| commit | f84ddb0c0fbb7f1c0ff34418426840f6ea79448e (patch) | |
| tree | 1a1527b4c6ff47e6353c5ccd78cfd877986da2c4 | |
| parent | bbefdb39386153f8103d9a2fc47765422f7eb177 (diff) | |
| download | ffmpeg-f84ddb0c0fbb7f1c0ff34418426840f6ea79448e.tar.gz | |
msrledec: fix output_end checks
Fixes out of array accesses
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e398990eb87785e20e065cd3f14d1dbb69df4392)
Conflicts:
libavcodec/msrledec.c
| -rw-r--r-- | libavcodec/msrledec.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c index e969994875..b0b8ef1c7f 100644 --- a/libavcodec/msrledec.c +++ b/libavcodec/msrledec.c @@ -138,7 +138,8 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, unsigned int width= FFABS(pic->linesize[0]) / (depth >> 3); output = pic->data[0] + (avctx->height - 1) * pic->linesize[0]; - output_end = pic->data[0] + avctx->height * pic->linesize[0]; + output_end = output + FFABS(pic->linesize[0]); + while (bytestream2_get_bytes_left(gb) > 0) { p1 = bytestream2_get_byteu(gb); if(p1 == 0) { //Escape code @@ -155,6 +156,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, return AVERROR_INVALIDDATA; } } + output_end = output + FFABS(pic->linesize[0]); pos = 0; continue; } else if(p2 == 1) { //End-of-picture @@ -169,11 +171,11 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, return -1; } output = pic->data[0] + line * pic->linesize[0] + pos * (depth >> 3); + output_end = pic->data[0] + line * pic->linesize[0] + FFABS(pic->linesize[0]); continue; } // Copy data - if ((pic->linesize[0] > 0 && output + p2 * (depth >> 3) > output_end) || - (pic->linesize[0] < 0 && output + p2 * (depth >> 3) < output_end)) { + if (output + p2 * (depth >> 3) > output_end) { bytestream2_skip(gb, 2 * (depth >> 3)); continue; } else if (bytestream2_get_bytes_left(gb) < p2 * (depth >> 3)) { @@ -203,8 +205,7 @@ static int msrle_decode_8_16_24_32(AVCodecContext *avctx, AVPicture *pic, pos += p2; } else { //run of pixels uint8_t pix[3]; //original pixel - if ((pic->linesize[0] > 0 && output + p1 * (depth >> 3) > output_end) || - (pic->linesize[0] < 0 && output + p1 * (depth >> 3) < output_end)) + if (output + p1 * (depth >> 3) > output_end) continue; switch(depth){ |