aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/8bps.c
diff options
context:
space:
mode:
authorRoberto Togni <r_togni@tiscali.it>2005-01-09 23:39:32 +0000
committerRoberto Togni <r_togni@tiscali.it>2005-01-09 23:39:32 +0000
commitc31b81216619e6b3d986ce63c82357993e10e8e9 (patch)
tree7284ec8818011bff0cff35c5208f5edff050f0bb /libavcodec/8bps.c
parent9c6221ae621a3467b7466e98975e63b2382c1b58 (diff)
downloadffmpeg-c31b81216619e6b3d986ce63c82357993e10e8e9.tar.gz
Check pointers before writing to memory, fix possible integer overflows
Force alignement for mszh and zlib decoders Originally committed as revision 3817 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/8bps.c')
-rw-r--r--libavcodec/8bps.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index 9509f42ad5..9adf4967c5 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -61,7 +61,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8
{
EightBpsContext * const c = (EightBpsContext *)avctx->priv_data;
unsigned char *encoded = (unsigned char *)buf;
- unsigned char *pixptr;
+ unsigned char *pixptr, *pixptr_end;
unsigned int height = avctx->height; // Real image height
unsigned int dlen, p, row;
unsigned char *lp, *dp;
@@ -101,18 +101,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8
/* Decode a plane */
for(row = 0; row < height; row++) {
pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p];
+ pixptr_end = pixptr + c->pic.linesize[0];
dlen = be2me_16(*(unsigned short *)(lp+row*2));
/* Decode a row of this plane */
while(dlen > 0) {
if ((count = *dp++) <= 127) {
count++;
dlen -= count + 1;
+ if (pixptr + count * px_inc > pixptr_end)
+ break;
while(count--) {
*pixptr = *dp++;
pixptr += px_inc;
}
} else {
count = 257 - count;
+ if (pixptr + count * px_inc > pixptr_end)
+ break;
while(count--) {
*pixptr = *dp;
pixptr += px_inc;
@@ -155,6 +160,12 @@ static int decode_init(AVCodecContext *avctx)
c->pic.data[0] = NULL;
+ // FIXME: find a better way to prevent integer overflow
+ if (((unsigned int)avctx->width > 32000) || ((unsigned int)avctx->height > 32000)) {
+ av_log(avctx, AV_LOG_ERROR, "Bad image size (w = %d, h = %d).\n", avctx->width, avctx->height);
+ return 1;
+ }
+
switch (avctx->bits_per_sample) {
case 8:
avctx->pix_fmt = PIX_FMT_PAL8;