aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/avs.c
diff options
context:
space:
mode:
authorLaurent Aimar <fenrir@videolan.org>2011-10-01 00:44:56 +0200
committerMichael Niedermayer <michaelni@gmx.at>2011-10-01 02:41:39 +0200
commit7afe9e5638242a3210a0fc378e34e3af41e29176 (patch)
treea2990dd6b5f77e7f3680e45135b90bc074692dc2 /libavcodec/avs.c
parent5d44c061cf511d97be5fac8d76be2f3915c6e798 (diff)
downloadffmpeg-7afe9e5638242a3210a0fc378e34e3af41e29176.tar.gz
Check for out of bound reads in AVS decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/avs.c')
-rw-r--r--libavcodec/avs.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/libavcodec/avs.c b/libavcodec/avs.c
index b3c71bb34b..9e73695f5e 100644
--- a/libavcodec/avs.c
+++ b/libavcodec/avs.c
@@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx,
void *data, int *data_size, AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size;
AvsContext *const avs = avctx->priv_data;
AVFrame *picture = data;
@@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx,
out = avs->picture.data[0];
stride = avs->picture.linesize[0];
+ if (buf_end - buf < 4)
+ return AVERROR_INVALIDDATA;
sub_type = buf[0];
type = buf[1];
buf += 4;
@@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx,
first = AV_RL16(buf);
last = first + AV_RL16(buf + 2);
+ if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first))
+ return AVERROR_INVALIDDATA;
buf += 4;
for (i=first; i<last; i++, buf+=3)
pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2);
@@ -114,9 +119,13 @@ avs_decode_frame(AVCodecContext * avctx,
return -1;
}
+ if (buf_end - buf < 256 * vect_w * vect_h)
+ return AVERROR_INVALIDDATA;
table = buf + (256 * vect_w * vect_h);
if (sub_type != AVS_I_FRAME) {
int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h);
+ if (buf_end - table < map_size)
+ return AVERROR_INVALIDDATA;
init_get_bits(&change_map, table, map_size * 8);
table += map_size;
}
@@ -124,6 +133,8 @@ avs_decode_frame(AVCodecContext * avctx,
for (y=0; y<198; y+=vect_h) {
for (x=0; x<318; x+=vect_w) {
if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) {
+ if (buf_end - table < 1)
+ return AVERROR_INVALIDDATA;
vect = &buf[*table++ * (vect_w * vect_h)];
for (j=0; j<vect_w; j++) {
out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j];