diff options
author | Roberto Togni <r_togni@tiscali.it> | 2005-01-09 23:39:32 +0000 |
---|---|---|
committer | Roberto Togni <r_togni@tiscali.it> | 2005-01-09 23:39:32 +0000 |
commit | c31b81216619e6b3d986ce63c82357993e10e8e9 (patch) | |
tree | 7284ec8818011bff0cff35c5208f5edff050f0bb /libavcodec/8bps.c | |
parent | 9c6221ae621a3467b7466e98975e63b2382c1b58 (diff) | |
download | ffmpeg-c31b81216619e6b3d986ce63c82357993e10e8e9.tar.gz |
Check pointers before writing to memory, fix possible integer overflows
Force alignement for mszh and zlib decoders
Originally committed as revision 3817 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/8bps.c')
-rw-r--r-- | libavcodec/8bps.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 9509f42ad5..9adf4967c5 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -61,7 +61,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8 { EightBpsContext * const c = (EightBpsContext *)avctx->priv_data; unsigned char *encoded = (unsigned char *)buf; - unsigned char *pixptr; + unsigned char *pixptr, *pixptr_end; unsigned int height = avctx->height; // Real image height unsigned int dlen, p, row; unsigned char *lp, *dp; @@ -101,18 +101,23 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, uint8 /* Decode a plane */ for(row = 0; row < height; row++) { pixptr = c->pic.data[0] + row * c->pic.linesize[0] + planemap[p]; + pixptr_end = pixptr + c->pic.linesize[0]; dlen = be2me_16(*(unsigned short *)(lp+row*2)); /* Decode a row of this plane */ while(dlen > 0) { if ((count = *dp++) <= 127) { count++; dlen -= count + 1; + if (pixptr + count * px_inc > pixptr_end) + break; while(count--) { *pixptr = *dp++; pixptr += px_inc; } } else { count = 257 - count; + if (pixptr + count * px_inc > pixptr_end) + break; while(count--) { *pixptr = *dp; pixptr += px_inc; @@ -155,6 +160,12 @@ static int decode_init(AVCodecContext *avctx) c->pic.data[0] = NULL; + // FIXME: find a better way to prevent integer overflow + if (((unsigned int)avctx->width > 32000) || ((unsigned int)avctx->height > 32000)) { + av_log(avctx, AV_LOG_ERROR, "Bad image size (w = %d, h = %d).\n", avctx->width, avctx->height); + return 1; + } + switch (avctx->bits_per_sample) { case 8: avctx->pix_fmt = PIX_FMT_PAL8; |