diff options
author | Aneesh Dogra <lionaneesh@gmail.com> | 2012-01-05 01:28:21 +0530 |
---|---|---|
committer | Ronald S. Bultje <rsbultje@gmail.com> | 2012-01-05 09:37:16 -0800 |
commit | 9b55b4bb3acc5f41b00eed5b93af4cd8400c9145 (patch) | |
tree | a0fe8a719fec37cf679aa28db748dcde3a2d0d8b /libavcodec/4xm.c | |
parent | e268a352af893e47bd3ea2aed90761cb0b4feca7 (diff) | |
download | ffmpeg-9b55b4bb3acc5f41b00eed5b93af4cd8400c9145.tar.gz |
4xm: Prevent buffer overreads.
4xm decoder while decoding i2 frames can overread the buffer if proper checks
are not made.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Diffstat (limited to 'libavcodec/4xm.c')
-rw-r--r-- | libavcodec/4xm.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index cfb8279870..52edc9942e 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -614,16 +614,24 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ int x, y, x2, y2; const int width= f->avctx->width; const int height= f->avctx->height; + const int mbs = (FFALIGN(width, 16) >> 4) * (FFALIGN(height, 16) >> 4); uint16_t *dst= (uint16_t*)f->current_picture.data[0]; const int stride= f->current_picture.linesize[0]>>1; + GetByteContext g3; + + if(length < mbs * 8) { + av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n"); + return AVERROR_INVALIDDATA; + } + bytestream2_init(&g3, buf, length); for(y=0; y<height; y+=16){ for(x=0; x<width; x+=16){ unsigned int color[4], bits; memset(color, 0, sizeof(color)); //warning following is purely guessed ... - color[0]= bytestream_get_le16(&buf); - color[1]= bytestream_get_le16(&buf); + color[0]= bytestream2_get_le16u(&g3); + color[1]= bytestream2_get_le16u(&g3); if(color[0]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 1\n"); if(color[1]&0x8000) av_log(NULL, AV_LOG_ERROR, "unk bit 2\n"); @@ -631,7 +639,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){ color[2]= mix(color[0], color[1]); color[3]= mix(color[1], color[0]); - bits= bytestream_get_le32(&buf); + bits= bytestream2_get_le32u(&g3); for(y2=0; y2<16; y2++){ for(x2=0; x2<16; x2++){ int index= 2*(x2>>2) + 8*(y2>>2); |